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Preface 


Organization of the Book 
Securing and Optimizing Linux: Red Hat Edition has 31 chapters, organized into thirteen parts 
and four appendixes: 


> 


Part I: Installation Related Reference includes two chapters; the first chapter 
introduces Linux in general and gives some basic information to the new Linux reader 
who is not familiar with this operating system. The second chapter guides you through 
the steps of installing Linux (from CD) in the most secure manner, with only the essential 
and critical software for a clean and secure installation. 


Part Il: Security and Optimization Related Reference focuses on how to secure and 
tune Linux after it has been installed. Part II includes four chapters that explain how to 
protect your Linux system, how to use and apply Pluggable Authentication Modules 
(PAM), how to optimize your system for your specific processor, and memory. Finally, the 
last chapter describes how to install, optimize, protect and customize the Kernel. All 
information in part Il of the book applies to the whole system. 


Part Ill: Networking Related Reference contains three chapters, where the first chapter 
answers fundamental questions about network devices, network configuration files, and 
network security as well as essential networking commands. The second and third 
chapters provide information about firewalls as well as the popular masquerading feature 
of Linux and how to configure and customize the new powerful IPTABLES tool of this 
system to fit your personal needs. 





Part IV: Cryptography & Authentication Related Reference handle three chapters 
which talk about essential security tools needed to secure network communication. 
These tools are the minimum that should be installed on any type of Linux server. 


Part V: Monitoring & System Integrity Related Reference provides five chapters which 
help you to tighten security in your server by the use of some powerful security software. 


Part VI: Management & Limitation Related Reference presently includes just one 
chapter which is about limiting users space usage on the server. 


Part Vil: Domain Name System Related Reference will discuss the Domain Name 
System, which is an essential service to install in all Linux servers you want on the 
network. This part of the book is important and must be read by everyone. 


Part VIII: Mail Transfer Agent Related Reference will explain everything about 
installing and configuring a Mail Server and the minimum mail software to install. It is one 
of the most important parts of the book. 


Part IX: Internet Message Access Protocol Related Reference is the last required part 
to read before going into installation of specific services in your Linux system. It 
discusses the mail software required to allow your users to get and read their electronic 
mail. 


Part X: Database Server Related Reference contains three chapters about the most 
commonly used and powerful databases on *NIX systems. 


Part XI: Gateway Server Related Reference discusses installing a powerful proxy 
server and configuring encrypted network services. 


> 


> 
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Part XII: Other Server Related Reference shows you how to use Linux for specific 
purposes such as setting up a customized FTP server, running a World Wide Web server 
and sharing files between different systems, all in a secure and optimized manner. 


Part XIll: Backup Related reference describes how to make a reliable backup of your 
valuable files in a convenient way. This part includes a chapter that explains how to 
perform backups with the traditional and universal UNIX tools “tar”, and “dump”, which 
enables you to use the same procedures, without any modification, with the other Unix 
family platforms. 


Appendixes is as follow: 


e Appendix A: Tweaks, Tips and Administration Tasks has several useful Linux 
tips on administration, networking and shell commands. 


e Appendix B: Contributor Users lists Linux users around the world who have 
participated in a voluntary basis by providing good suggestions, 
recommendations, help, tips, corrections, ideas and other information to help in 
the development of this book. Thanks to all of you. 


e Appendix C: Obtaining Requests for Comments (RFCs) provides an 
alphabetical reference for important RFCs related to the software or protocols 
described in the book. 


Steps of installation 

Depending of your level of knowledge in Linux, you can read this book from the beginning 
through to the end or the chapters that interest you. Each chapter and section of this book 
appears in a manner that lets you read only the parts of your interest without the need to 
schedule one day of reading. Too many books on the market take myriad pages to explain 
something that can be explained in two lines, I’m sure that a lot of you agree with my opinion. 
This book tries to be different by talking about only the essential and important information that 
the readers want to know by eliminating all the nonsense. 


Although you can read this book in the order you want, there is a particular order that you could 
follow if something seems to be confusing you. The steps shown below are what | recommend : 


v 


KNNNNNN NNN NNN 


Setup Linux in your computer. 

Remove all the unnecessary RPM’s packages. 

Install the necessary RPM’s packages for compilation of software (if needed). 
Secure the system in general. 

Optimize the system in general. 

Reinstall, recompile and customize the Kernel to fit your specific system. 
Configure firewall script according to which services will be installed in your system. 
Install OpenSSL to be able to use encryption with the Linux server. 

Install OpenSSH to be able to make secure remote administration tasks. 
Install sxid. 

Install Logcheck. 

Install PortSentry. 

Install Tripwire. 

Install ICS BIND/DNS. 

Install Sendmail or qmail. 

Install any software you need after to enable specific services into the server. 
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Author note 

According to some surveys on the Internet, Linux will be the number one operating system for a 
server platform in year 2003. Presently it is number two and no one at one time thought that it 
would be in this second place. Many organizations, companies, universities, governments, and 
the military, etc, kept quiet about it. Crackers use it as the operating system by excellence to 
crack computers around the world. Why do so many people use it instead of other well know 
operating systems? The answer is simple, Linux is free and the most powerful, reliable, and 
secure operating system in the world, providing it is well configured. Millions of programmers, 
home users, hackers, developers, etc work to develop, on a voluntary basis, different programs 
related to security, services, and share their work with other people to improve it without 
expecting anything in return. This is the revolution of the Open Source movement that we see 
and hear about so often on the Internet and in the media. 


If crackers can use Linux to penetrate servers, security specialists can use the same means to 
protect servers (to win a war, you should at least have equivalent weapons to what your enemy 
may be using). When security holes are encountered, Linux is the one operating system that has 
a solution and that is not by chance. Now someone may say: with all these beautiful features why 
is Linux not as popular as other well know operating system? There are many reasons and 
different answers on the Internet. | would just say that like everything else in life, anything that we 
are to expect the most of, is more difficult to get than the average and easier to acquire. Linux 
and *NIX are more difficult to learn than any other operating system. It is only for those who want 
to Know computers in depth and know what they doing. People prefer to use other OS’s, which 
are easy to operate but hard to understand what is happening in the background since they only 
have to click on a button without really knowing what their actions imply. Every UNIX operating 
system like Linux will lead you unconsciously to know exactly what you are doing because if you 
pursue without understanding what is happening by the decision you made, then nothing will 
surely work as expected. This is why with Linux, you will know the real meaning of a computer 
and especially a server environment where every decision warrants an action which will closely 
impact on the security of your organization and employees. 


Many Web sites are open to all sorts of "web hacking." According to the Computer Security 
Institute and the FBI's joint survey, 90% of 643 computer security practitioners from government 
agencies, private corporations, and universities detected cyber attacks last year. Over 
$265,589,940 in financial losses was reported by 273 organizations. 


Many readers of the previous version of this book told me that the book was an easy step by step 
guide for newbies, | am flattered but | prefer to admit that it was targeting for a technical audience 
and | assumed the reader had some background in Linux, UNIX systems. If this is not true in your 
case, | highly recommend you to read some good books in network administration related to 
UNIX and especially to Linux before venturing into this book. Remember talking about security 
and optimization is a very serious endeavor. It is very important to be attentive and understand 
every detail in this book and if difficulties arise, try to go back and reread the explanation will save 
a lot of frustration. Once again, security is not a game and crackers await only one single error 
from your part to enter your system. A castle has many doors and if just one stays open, will be 
enough to let intruders into your fortress. You have been warned. 


Many efforts went into the making of this book, making sure that the results were as accurate as 
possible. If you find any abnormalities, inconsistent results, errors, omissions or anything else that 
doesn't look right, please let me know so | can investigate the problem and/or correct the error. 
Suggestions for future versions are also welcome and appreciated. A web site dedicated to this 
book is available on the Internet for your convenience. If you any have problem, question, 
recommendation, etc, please go to the following URL: http:/Awww.openna.com/ We made this site 
for you. 


Preface 


Audience 

This book is intended for a technical audience and system administrators who manage Linux 
servers, but it also includes material for home users and others. It discusses how to install and 
setup a Linux Server with all the necessary security and optimization for a high performance 
Linux specific machine. It can also be applied with some minor changes to other Linux variants 
without difficulty. Since we speak of optimization and security configuration, we will use a source 
distribution (tar.gz) program for critical server software like Apache, ISC BIND/DNS, Samba, 
Squid, OpenSSL etc. Source packages give us fast upgrades, security updates when necessary, 
and better compilation, customization, and optimization options for specific machines that often 
aren’t available with RPM packages. 


These installation instructions assume 
You have a CD-ROM drive on your computer and the Official Red Hat Linux CD-ROM. 
Installations were tested on the Official Red Hat Linux version 7.1. 


You should familiarize yourself with the hardware on which the operating system will be installed. 
After examining the hardware, the rest of this document guides you, step-by-step, through the 
installation process. 


About products mentioned in this book 

Many products will be mentioned in this book— some commercial, but most are not, cost nothing 
and can be freely used or distributed. It is also important to say that I’m not affiliated with any 
specific brand and if | mention a tool, it’s because it is useful. You will find that a lot of big 
companies in their daily tasks, use most of them. 


Obtaining the example configuration files 

In a true server environment and especially when Graphical User Interface is not installed, we will 
often use text files, scripts, shell, etc. Throughout this book we will see shell commands, script 
files, configuration files and many other actions to execute on the terminal of the server. You can 
enter them manually or use the compressed archive file that | made which contains all 
configuration examples and paste them directly to your terminal. This seems to be useful in many 
cases to save time. 


The example configuration files in this book are available electronically via HTTP from this URL: 


ftp://ftp.openna.com/ConfigFiles-v2.0/floppy-2.0.tqz 


e In either case, extract the files into your Linux server from the archive by typing: 
[root@deep /]# cd /var/tmp 
[root@deep tmp]# tar xzpf floppy-2.0.tgz 


If you cannot get the examples from the Internet, please contact the author at this email address: 


gmourani@openna.com 
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Problem with Securing & Optimizing Linux 

When you encounter a problem in "Securing & Optimizing Linux" we want to hear about it. Your 
reports are an important part in making the book more reliable, because even with the utmost 
care we cannot guarantee that every part of the book will work on every platform under every 
circumstance. 


We cannot promise to fix every error right away. If the problem is obvious, critical, or affects a lot 
of users, chances are that someone will look into it. It could also happen that we tell you to 
update to a newer version to see if the problem persists there. Or we might decide that the 
problem cannot be fixed until some major rewriting has been done. If you need help immediately, 
consider obtaining a commercial support contract or try our Q&A archive from the mailing list for 
an answer. 


Below are some important links: 


OpenNA.com web site: http://www.openna.com/ 

Mailing list: http:/Awww.openna.com/support/mailing/mailing.php 
Errata: http:/Awww.openna.com/products/books/errata/errata.php 
Support: http://www.openna.com/support/support.php 

RPM Download: http:/Awww.openna.com/downloads/downloads.php 
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Part! Installation Related Reference 
In this Part 


Installation - Introduction 
Installation - Installing a Linux Server 


This part of the book deals with all the basic knowledge required to properly install a Linux OS, in 
our case a Red Hat Linux on your system in the most secure and clean manner available. 


1 Installation - Introduction 
In this Chapter 


What is Linux? 

Some good reasons to use Linux 

Let's dispel some of the fear, uncertainty, and doubt about Linux 
Why choose Pristine source? 

Compiling software on your system 

Build, Install software on your system 

Editing files with the vi editor tool 

Recommended software to include in each type of servers 
Some last comments 


Introduction |0 
CHAPTER} 1 


Introduction 


What is Linux? 

Linux is an operating system that was first created at the University of Helsinki in Finland by a 
young student named Linus Torvalds. At this time the student was working on a UNIX system that 
was running on an expensive platform. Because of his low budget, and his need to work at home, 
he decided to create a copy of the UNIX system in order to run it on a less expensive platform, 
such as an IBM PC. He began his work in 1991 when he released version 0.02 and worked 
steadily until 1994 when version 1.0 of the Linux Kernel was released. The current full-featured 
version at this time is 2.2.X (released January 25, 1999), and development continues. 


The Linux operating system is developed under the GNU General Public License (also known as 
GNU GPL) and its source code is freely available to everyone who downloads it via the Internet. 
The CD-ROM version of Linux is also available in many stores, and companies that provide it will 
charge you for the cost of the media and support. Linux may be used for a wide variety of 
purposes including networking, software development, and as an end-user platform. Linux is 
often considered an excellent, low-cost alternative to other more expensive operating systems 
because you can install it on multiple computers without paying more. 


Some good reasons to use Linux 

There are no royalty or licensing fees for using Linux, and the source code can be modified to fit 
your needs. The results can be sold for profit, but the original authors retain copyright and you 
must provide the source to your modifications. 


Because it comes with source code to the kernel, it is quite portable. Linux runs on more CPUs 
and platforms than any other computer operating system. 


The recent direction of the software and hardware industry is to push consumers to purchase 
faster computers with more system memory and hard drive storage. Linux systems are not 
affected by those industries’ orientation because of it’s capacity to run on any kind of computer, 
even aging x486-based computers with limited amounts of RAM. 


Linux is a true multi-tasking operating system similar to it’s brother, UNIX. It uses sophisticated, 
state-of-the-art memory management to control all system processes. That means that if a 
program crashes you can kill it and continue working with confidence. 


Another benefit is that Linux is practically immunized against all kinds of viruses that we find in 
other operating systems. To date we have found only two viruses that were effective on Linux 
systems. 


Let's dispel some of the fear, uncertainty, and doubt about Linux 


It's a toy operating system. 

Fortune 500 companies, governments, and consumers more and more use Linux as a cost- 
effective computing solution. It has been used and is still used by big companies like IBM, 
Amtrak, NASA, and others. 
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There's no support. 

Every Linux distribution comes with more than 12,000 pages of documentation. Commercial 
Linux distributions such as Red Hat Linux, Caldera, SUSE, Mandrake, Turbo Linux and 
OpenLinux offer initial support for registered users, and small business and corporate accounts 
can get 24/7 supports through a number of commercial support companies. As an Open Source 
operating system, there's no six-month wait for a service release, plus the online Linux 
community fixes many serious bugs within hours. 


Why choose Pristine source? 

All the programs in Red Hat distributions of Linux are provided as RPM files. An RPM file, also 
known, as a “package”, is a way of distributing software so that it can be easily installed, 
upgraded, queried, and deleted. However, in the Unix world, the defacto-standard for package 
distribution continues to be by way of so-called “tarballs”. Tarballs are simply compressed files 
that can be readable and uncompressed with the “tar” utility. Installing from tar is usually 
significantly more tedious than using RPM. So why would we choose to do so? 


1) Unfortunately, it takes a few weeks for developers and helpers to get the latest version of 
a package converted to RPM’s because many developers first release them as tarballs. 


2) When developers and vendors release a new RPM, they include a lot of options that 
often are not necessary. Those organization and companies don’t know what options you 
will need and what you will not, so they include the most used to fit the needs of 
everyone. 


3) Often RPMs are not optimized for your specific processors; companies like Red Hat 
Linux build RPM’s based on a standard PC. This permits their RPM packages to be 
installed on all sorts of computers since compiling a program for an i886 machine means 
it will work on all systems. 


4) Sometimes you download and install RPM’s, which other people around the world are 
building and make available for you to use. This can pose conflicts in certain cases 
depending how this individual built the package, such as errors, security and all the other 
problems described above. 


Compiling software on your system 

A program is something a computer can execute. Originally, somebody wrote the "source code" 
in a programming language he/she could understand (e.g., C, C++). The program "source code" 
also makes sense to a compiler that converts the instructions into a binary file suited to whatever 
processor is wanted (e.g. a 386 or similar). A modern file format for these "executable" programs 
isELF. The programmer compiles his source code on the compiler and gets a result of some sort. 
It's not at all uncommon that early attempts fail to compile, or having compiled, fail to act as 
expected. Half of programming is tracking down and fixing these problems (debugging). 


For the beginners there are more aspect and new words relating to the compilation of source 
code that you must know, these include but are not limited to: 
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Multiple Files (Linking) 

One-file programs are quite rare. Usually there are a number of files (Say *.c, *.cpp, etc) that 
are each compiled into object files (* .o) and then linked into an executable. The compiler is 
usually used to perform the linking and calls the '1d' program behind the scenes. 


Makefiles 

Makefiles are intended to aid you in building your program the same way each time. They also 
often help with increasing the speed of a program. The “make” program uses “dependencies” in 
the Makefile to decide what parts of the program need to be recompiled. If you change one 
source file out of fifty you hope to get away with one compile and one link step, instead of starting 
from scratch. 


Libraries 

Programs can be linked not only to object files (* .c) but also to libraries that are collections of 
object files. There are two forms of linking to libraries: static, where the code goes in the 
executable file, and dynamic, where the code is collected when the program starts to run. 


Patches 

It was common for executable files to be given corrections without recompiling them. Now this 
practice has died out; in modern days, people change a small portion of the source code, putting 
a change into a file called a “patch”. Where different versions of a program are required, small 
changes to code can be released this way, saving the trouble of having two large distributions. 


Errors in Compilation and Linking 

Errors in compilation and linking are often due to typos, omissions, or misuse of the language. 
You have to check that the right “includes file” is used for the functions you are calling. 
Unreferenced symbols are the sign of an incomplete link step. Also check if the necessary 
development libraries (GLIBC) or tools (GCC, DEV86, MAKE, etc) are installed on your system. 








Debugging 

Debugging is a large topic. It usually helps to have statements in the code that inform you of what 
is happening. To avoid drowning in output you might sometimes get them to print out only the first 
3 passes in a loop. Checking that variables have passed correctly between modules often helps. 
Get familiar with your debugging tools. 


Build & install software on your system 

You will see in this book that we use many different compile commands to build and install 
programs on the server. These commands are UNIX compatible and are used on all variants of 
*NIX machines to compile and install software. 


The procedure to compile and install software tarballs on your server are as follows: 


1. First of all, you must download the tarball from your trusted software archive site. Usually 
from the main site of the software you hope to install. 


2. After downloading the tarball change to the /var/tmp directory (note that other paths 
are possible, as personal discretion) and untar the archive by typing the commands (as 
root) as in the following example: 


[root@deep /]# tar xzpf foo.tar.gz 
The above command will extract all files from the example foo.tar.gz compressed archive and 


will create a new directory with the name of the software from the path where you executed the 
command. 
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The “x” option tells tar to extract all files from the archive. 

The “z” option tells tar that the archive is compressed with gzip utility. 

The “p” option maintains the original permissions the files had when the archive was created. 
The “£” option tells tar that the very next argument is the file name. 


Once the tarball has been decompressed into the appropriate directory, you will almost certainly 
find a “README” and/or an “INSTALL” file included with the newly decompressed files, with further 
instructions on how to prepare the software package for use. Likely, you will need to enter 
commands similar to the following example: 














./configure 
make 
make install 


The above commands ./configure will configure the software to ensure your system has the 
necessary libraries to successfully compile the package, make will compile all the source files into 
executable binaries. Finally, make instal11 will install the binaries and any supporting files into 
the appropriate locations. Other specifics commands that you'll see in this book for compilation 
and installation procedure will be: 


make depend 
strip 
chown 


The make depend command will build and make the necessary dependencies for different files. 
The strip command will discard all symbols from the object files. This means that our binary file 
will be smaller in size. This will improve the performance of the program, since there will be fewer 
lines to read by the system when it executes the binary. The chown command will set the correct 
file owner and group permissions for the binaries. More commands will be explained in the 
concerned installation sections. 


Editing files with the vi editor tool 

The vi program is a text editor that you can use to edit any text and particularly programs. During 
installation of software, the user will often have to edit text files, like Makefiles or configuration 
files. The following are some of the more important keystroke commands to get around in vi. | 
decided to introduce the vi commands now since it is necessary to use vi throughout this book. 
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Command Result 
i Notifies vi to insert text before the cursor 
Notifies vi to append text after the cursor 
dd Notifies vi to delete the current line 
x Notifies vi to delete the current character 
Esc Notifies vi to end the insert or append mode 
Notifies vi to undo the last command 
Cer leet Scroll up one page 
Ctrlt+b Scroll down one page 
/string Search forward for string 
sue Display filename and current line number 
7q Quit editor 
:q! Quit editor without saving changes 
:Wg Save changes and exit editor 











Recommended software to include in each type of servers 

If you buy binaries, you will not get any equity and ownership of source code. Source code is a 
very valuable asset and binaries have no value. Buying software may become a thing of the past. 
You only need to buy good hardware; it is worth spending money on the hardware and get the 
software from Internet. Important point, is that it is the computer hardware that is doing the bulk of 
the job. Hardware is the real workhorse and software is just driving it. It is for this reason that we 
believe in working with and using the Open source software. Much of the software and services 
that come with Linux are open source and allow the user to use and modify them in an 
undiscriminating way according to the General Public License. 


Linux has quickly become the most practical and friendly used platform for e-business -- and with 
good reason. Linux offers users stability, functionality and value that rivals any platform in the 
industry. Millions of users worldwide have chosen Linux for applications, from web and email 
servers to departmental and enterprise vertical application servers. To respond to your needs and 
to let you know how you can share services between systems | have developed ten different 
types of servers, which cover the majority of servers' functions and enterprise demands. 


Often companies try to centralize many services into one server to save money, it is well known 
and often seen that there are conflicts between the technical departments and purchasing agents 
of companies about investment and expenditure when it comes to buying new equipment. When 
we consider security and optimization, it is of the utmost importance not to run too many services 
in one server, it is highly recommended to distribute tasks and services between multiple 
systems. The table below show you which software and services we recommend to for each type 
of Linux server. 


The following conventions will explain the interpretations of these tables: 


> Optional Components: components that may be included to improve the features of the server or 
to fit special requirements. 


> Security Software Required: what we consider as minimum-security software to have installed on 
the server to improve security. 


> Security Software Recommended: what we recommend for the optimal security of the servers. 
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IV ETISI=) aV(c16 Web Server Gateway Server 
Sendmail or qmail (SMTP Server) Apache (Web Server) BIND/DNS (Caching) 
BIND/DNS (Caching) qmail (Standalone) qmail (Standalone) 
IPTABLES Firewall BIND/DNS (Caching) IPTABLES Firewall 
IPTABLES Firewall 


IMAP/POP only for Sendmail i 
Mod_PHP4 Capability 
Mod_SSL Capability 
Mod-Perl Capability 
MM Capability 
Webmail Capabilit 
Secure Linux Kernel Patches Secure Linux Kernel Patches Secure Linux Kernel Patches 
OpenSSL Encryption Software OpenSSL Encryption Software OpenSSL Encryption Software 
OpenSSH (Server) OpenSSH (Server) OpenSSH (Client & Server) 
Tripwire Integrity Tool Tripwire Integrity Tool Tripwire Integrity Tool 
GnuPG GnuPG GnuPG 
sXid sXid sXid 
Logcheck Logcheck Logcheck 
PortSentry PortSentry PortSentry 
Quota Quota 


FTP Server Domain Name Server File Sharing Server 
Wu-FTPD (Server) Primary BIND/DNS (Server) Samba LAN (Server) 
qmail (Standalone) qmail (Standalone) qmail (Standalone) 

BIND/DNS (Caching) IPTABLES Firewall BIND/DNS (Caching) 
IPTABLES Firewall IPTABLES Firewall 


AITO VIO MS Re RSV cae |e ee | ee 
Secure Linux Kernel Patches Secure Linux Kernel Patches Secure Linux Kernel Patches 
OpenSSL Encryption Software OpenSSL Encryption Software OpenSSL Encryption Software 
OpenSSH (Server) OpenSSH (Server) OpenSSH (Server) 
Tripwire Integrity Tool Tripwire Integrity Tool Tripwire Integrity Tool 
GnuPG GnuPG GnuPG 
sXid sXid sXid 
Logcheck Logcheck Logcheck 
PortSentry PortSentry PortSentry 
Quota 
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Database server Backup server 
PostgreSQL (Client & Server) Amanda (Server) FreeS/WAN VPN (Server) 
qmail (Standalone) qmail (Standalone) qmail (Standalone) 
BIND/DNS (Caching) BIND/DNS (Caching) BIND/DNS (Caching) 
IPTABLES Firewall Dump Utility IPTABLES Firewall 
IPTABLES Firewall 


Optional Components Optional Components Optional Components 


Security Software Required Security Software Required 
Secure Linux Kernel Patches Secure Linux Kernel Patches Secure Linux Kernel Patches 
OpenSSL Encryption Software OpenSSL Encryption Software OpenSSL Encryption Software 
OpenSSH (Server) OpenSSH (Client & Server) OpenSSH (Server) 
Tripwire Integrity Tool Tripwire Integrity Tool Tripwire Integrity Tool 
Security Software recommended | Security Software recommended 
GnuPG GnuPG GnuPG 
sXid sXid sXid 
Logcheck Logcheck Logcheck 
PortSentry PortSentry PortSentry 





Some last comments 

Before reading the rest of the book, it should be noted that the text assumes that certain files are 
placed in certain directories. Where they have been specified, the conventions we adopt here for 
locating these files are those of the Red Hat Linux distribution. If you are using a different 
distribution of Linux or some other operating system that chooses to distribute these files ina 
different way, you should be careful when copying examples directly from the text. 


It is important to note that all software-listed from Part IV through Part IX of the book is required if 
you want to run a fully operational and secure Linux system. Without them, you will have one that 
itis not as secure as you expect it to be. Therefore | highly recommend you read at least Part IV 
through Part IX before going into the specific services you may want to install on your server. 
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2 Installation - Installing a Linux Server 
In this Chapter 


Know your Hardware! 

Creating the Linux Boot Disk 

Beginning the installation of Linux 

Installation Class and Method (Install Options) 

Partition your system for Linux 

Disk Partition (Manual Partitioning) 

Selecting Package Groups 

How to use RPM Commands 

Starting and stopping daemon services 

Software that must be uninstalled after installation of the server 
Remove unnecessary documentation files 

Remove unnecessary/empty files and directories 

Software that must be installed after installation of the server 
Verifying installed programs on your Server 

Update of the latest software 


25 


Linux Installation |0 
CHAPTER | 2 


Linux Installation 


Abstract 

We have prepared and structured this chapter in a manner that follows the original installation of 
the Red Hat Linux operating system from CD-ROM. Each section below refers to, and will guide 
you through, the different screens that appear during the setup of your system after booting from 
the Red Hat boot diskette. We promise that it will be interesting to have the machine you want to 
install Linux on ready and near you when you follow the steps described below. 


You will see that through the beginning of the installation of Linux, there are many options, 
parameters, and hacks that you can set before the system logs in for the first time. 


Know your Hardware! 

Understanding the hardware of your computer is essential for a successful installation of Linux. 
Therefore, you should take a moment and familiarize yourself with your computer hardware. Be 
prepared to answer the following questions: 


How many hard drives do you have? 

What size is each hard drive (eg, 15GB)? 

If you have more than one hard drive, which is the primary one? 

What kind of hard drive do you have (eg, IDE ATA/66, SCSI)? 

How much RAM do you have (eg, 256MB RAM)? 

Do you have a SCSI adapter? If so, who made it and what model is it? 
Do you have a RAID system? If so, who made it and what model is it? 
What type of mouse do you have (eg, PS/2, Microsoft, Logitech)? 
How many buttons does your mouse have (2/3)? 

10. If you have a serial mouse, what COM port is it connected to (eg, COM1)? 
11. What is the make and model of your video card? How much video RAM do you have (eg, 8MB)? 
12. What kind of monitor do you have (make and model)? 

13. Will you be connected to a network? If so, what will be the following: 
Your IP address? 

Your netmask? 

Your gateway address? 

Your domain name server’s IP address? 

Your domain name? 

Your hostname? 

Your types of network(s) card(s) (makes and model)? 

Your number of card(s) (makes and model)? 


OANA PWN> 


sea-oaooD 


Creating the Linux Boot Disk 

The first thing to do is to create an installation diskette, also Known as a boot disk. If you have 
purchased the official Red Hat Linux CD-ROM, you will find a floppy disk named “Boot Diskette” 
in the Red Hat Linux box so you don’t need to create it. 


Sometimes, you may find that the installation will fail using the standard diskette image that 
comes with the official Red Hat Linux CD-ROM. If this happens, a revised diskette is required in 
order for the installation to work properly. In these cases, special images are available via the 
Red Hat Linux Errata web page to solve the problem (http://www. redhat .com/errata). 
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Since this, is a relatively rare occurrence, you will save time if you try to use the standard diskette 
images first, and then review the Errata only if you experience any problems completing the 
installation. Below, we will show you two methods to create the installation Boot Disk, the first 
method is to use an existing Microsoft Windows computer and the second using an existing Linux 
computer. 


Making a Diskette Under MS-DOS 

Before you make the boot disk, insert the Official Red Hat Linux CD-ROM Disk 1 in your 
computer that runs the Windows operating system. When the program asks for the filename, 
enter boot . img for the boot disk. To make the floppies under MS-DOS, you need to use these 
commands (assuming your CD-ROM is drive D: and contain the Official Red Hat Linux CD-ROM). 


e Open the Command Prompt under Windows: Start | Programs | Command Prompt 
C:\> d: 

D:\> ed \dosutils 

D:\dosutils> rawrite 

Enter disk image source file name: ..\images\boot.img 

Enter target diskette drive: a: 

Please insert a formatted diskette into drive A: and press -ENTER- : 











D:\dosutils> 


The rawrite.exe program asks for the filename of the disk image: Enter boot . img and insert 
a blank floppy into drive A. It will then ask for a disk to write to: Enter a:, and when complete, 
label the disk “Red Hat boot disk”, for example. 


Making a Diskette Under a Linux-Like OS 

To make a diskette under Linux or any other variant of Linux-Like operating system, you must 
have permission to write to the device representing the floppy drive (known as /dev/£d0H1440 
under Linux). 


This permission is granted when you log in the system as the super-user “root”. Once you have 
logged as “root”, insert a blank formatted diskette into the diskette drive of your computer without 
issuing a mount command on it. Now it’s time to mount the Red Hat Linux CD-ROM on Linux and 
change to the directory containing the desired image file to create the boot disk. 


e Insert a blank formatted diskette into the diskette drive 
Insert the Red Hat Linux CD Part 1 into the CD-ROM drive 
[root@deep /]# mount /dev/cdrom /mnt/cdrom 
root@deep /]# cd /mnt/cdrom/images/ 
root@deep images]# dd if=boot.img of=/dev/f£d0H1440 bs=1440k 
+O records in 
+O records out 
root@deep images]# ed / 
root@deep /]# umount /mnt/cdrom 





[ 
[ 
1 
1 
[ 
[ 


Don’t forget to label the diskette “Red Hat boot disk”, for example. 
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Beginning the installation of Linux 

Now that we have made the boot disk, it is time to begin the installation of Linux. Since we'd start 
the installation directly off the CD-ROM, boot with the boot disk. Insert the boot diskette you 
create into the drive A: on the computer where you want to install Linux and reboot the computer. 
At the boot: prompt, press Enter to continue booting and follow the three simple steps below: 


Step 1 


The first step is to choose what language should be used during the installation process. In our 
example we choose the English language. 


Online Help 


Language Selection 


Choose tie language you would 
like to use during this Red Hat 


Linux installation. 


? Hide Help | ?} Release notes | 


Step 2 


Language Selecton 





Red Hat Linux 


What language should be used Guring 
the instahation process? 


French 
German 
Hungarian 
Icelandic 


Stoventan 


Utraivian 





After that, the system allows you to choose your keyboard type, layout type for the keyboard, and 
the possibility to enable or disable Dead Keys. 
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Step 3 


Finally, we choose the kind of mouse type we use and if this mouse has two or three buttons. If 
you have a mouse with just two buttons, you can select the option named “Emulate 3 Buttons” 


ee 


Online Help 


Keyboard 
Configuration 


Choose the keyboard that best fits 
your system. 


Ifyou can't find an exact match, 
choose the closest Generic match 
(for example, Generic 101 ~key 
PC) 

Then choose the layout type for 


your keyboard (for exeenple, U.S. 
English) 


Entering special characters (such 
as fi, 6, and ©) is done using “dead 
keys” (alse known as compose key 
sequences), If pou wish to use 
special characters requiring the 
use of dead keys, select Exable 
dead keys. Ifnot, select Disable 
dead keys 


Use the blank text fleld ot the 
bottom of the screen to test your 


?} Hide Help | 


? Retease Notes 
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Red Hat Linux 


Keyboard Configuration 


Sf 











Generic 101-key PC 
Generic 102-kay (em) PC 
Generic 104-key PC 








HP Intemet 
Japanese 106-hey 
Keytronic FiexPro 


a=) 


Layout 


bb 


Swiss German 








US, English w deadheys 
US, English wiS09995-3 
Utrarvan 


beL 


Dead Keys 
Disable dead keys 





Test your selection here 





and click both mouse buttons at the same time to act as the middle mouse button. 





— 


Online Help 


Mouse 
Configuration 


Choose the correct mouse type for 
your system. 


Do you have 2 PS/2, Bus cr serial 
meuse? (Hirt: If the connecter 
your mouse plugs inte is round, you 
have a PS? or a Bas mouse; # it's 
rectangular, it’s a serial mouse.) 


‘Try to find an exact match in the 
first box at right [f an exact match 
cannot be found, choose one which 
is compaticle with yours. 
Otherwise, choose the appropriate 
Generic mouse type. 


Hyou hove a serial mouse, pick the 
device and poct it is connected to in 
the next box 


The X Window System is designed 
te make use of s three-button 
meuse. If you have a twe-bautten 


P Hise Help | 


P Release Notes 





a 


Red Hat Linux 





Mouse Configuration 


ALPS GlidePomt (PS/2) — 
> ASCII 
ATI Bus Mouse 
> Generic 
2 Button: Mouse (PSV2) 
2 Bufion Mouse (USS) 
2 Bution Mouse (serial) 





3 Buttos: Mouse (USB) 
3 Bution Mouse (serial) 
> Genius 
> Kansington 
> Logitech 
MM 
> Microsoft 
Mouse Systems Mouse (serial) 
None None 
Sun Mouse zi 


vvv79 





[ Erulate 3 Butters 
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Once we have completed the above three steps, we are ready to begin the installation of Red Hat 
Linux. 


Installation Class and Method (Install Options) 
Red Hat Linux 7.1 includes four different classes, or type of installation. They are: 


Workstation 
Server System 
Laptop 

Custom System 


ALANNA 


The first two classes (Workstation, and Server System) give you the option of simplifying the 
installation process with a significant loss of configuration flexibility that we don’t want to lose. 


For this reason we highly recommend you select the “Custom System” installation. Only the 
custom-class installation gives us complete flexibility. During the custom-class installation, it is up 
to you how disk space should be partitioned. We also have complete control over the different 
RPM packages that will be installed on the system. 


The idea is to load the minimum amount of packages, while maintaining maximum efficiency. The 
less software that resides on the machine, the fewer potential security exploits or holes may 
appear. 


From the menu that appears on your screen, select the “Custom System’ installation class and 
click Next. 


Red Hat Linux | 





Online Help instal Type 


Install Options 
Choose whether you would like to 
perform 2 full installation er an 
upgrade. 


Ox 
| 
a) Workstation 


A fall tustallotion wil destroy any 
previously saved information on the * Server System 


selected partitions. 


An upgrade will preserve existing : 

Red Hot Linux system data s “ seat 

if you want to perform # ful 

instalation, you must cheese the ° & Custom System 


class (or type) of the instalation 
Your options are: Workstation, 


Server, Laptop, of Custom. em 
cr a Upgrade 
Ifyou don’t know which instaBation 
class you want, read the following 
very carefully 


Note: In addition to the installation 
methods memicned below, Red 

Hat Livux can also be installed 

“within” an akeady existing FAT hal 


? Hide Help | ? Retease Notes S Bact | > Net | 
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Partition your system for Linux 
The system will show you a new screen from where you can choose the tool you would like to 


use to partition the disks for Linux. 


Online Help 


Disk 
Partitioning 


One of the largest 
obstacles for a new user 
during a Linux 
installation is partitioning. 
Red Hat Linux makes this 
process much simpler by 
providing an option for 
automatic partitioning. 


By selecting automatic 
partitioning, you will not 
have to use the Disk 
Druidor fdisk 
partitioning tools to assign 
mount points or allocate 
space for your installation, 


? Hise Help | ? Retease Notes 


Red Hat Linux 


Disk Parttioning 
Please setect the type of disk parttioning you would Bke to use 


Automatic partoning will erase any preeodsting Linux installations 
on your system 


Setecting manual partitioning allows you to create the partitions by 
hand 


“~ Aulomaically partiton and REMOVE DATA 
~ Manually partion with Dest, Oruid 
w~ Manually partion with fdisk [experts only] 





From here we have two choices, but before we explain each ones, it is important to go and 


understand partition strategy first. 


We assume that you are installing the new Linux server to a new hard drive, with no other 
existing file system or operating system installed. A good partition strategy is to create a separate 
partition for each major file system. This enhances security and prevents accidental denial of 


service or exploit of SUID programs. 


Creating multiple partitions offers you the following advantages: 


ot Sn ea a 


Protection against denial of service attack. 
Protection against SUID programs. 

Faster booting. 
Easy backup and upgrade management. 

Ability for better control of mounted file system. 

Limit each file system’s ability to grow. 

Improve performance of some program with special setup. 








WARNING: If a previous file system or operating system exists on the hard drive and computer 
where you want to install your Linux system, we highly recommend, that you make a backup of 
your current system before proceeding with the disk partitioning. 
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Partitions Strategy 

For performance, stability and security reasons you must create something like the following 
partitions listed below on your computer. We suppose for this partition configuration the fact that 
you have a SCSI hard drive of 9.1 GB with 256 MB of physical RAM. Of course you will need to 
adjust the partition sizes and swap space according to your own needs and disk size. 


Minimal recommended partitions that must be created on your system: 
This is the minimum number of partitions we recommend creating whatever you want to setup it 
for, aWeb Server, Mail Server, Gateway or something else. 


/boot 5 MB All Kernel images are kept here. 
<Swap> 512 MB Our swap partition. The virtual memory of the Linux operating system. 
/ 256 MB Our root partition. 
/usr 512 MB Must be large, since many Linux binaries programs are installed here. 
/home 5700 MB Proportional to the number of users you intend to host. 

(i.e. 100 MB per users * by the number of users 57 = 5700 MB) 
/var 256 MB Contains files that change when the system run normally (i.e. Log files). 
/tmp 329 MB Our temporary files partition (must always reside on its own partition). 


Additional or optional partitions that can be created on your system: 

Depending on what services the Linux system will be assigned to serve or the specific software 
requirements, there can be some special partitions you can add to the minimum partitions we 
recommend. You can create as many partitions as you want to fit you needs. What we show you 
below are partitions related to programs we describe in the book. 


/chroot 256 MB If you want to install programs in chroot jail environment (i.e. DNS, Apache). 
/var/lib 1000 MB Partition to handle SQL or Proxy Database Server files (i.e. MySQL, Squid). 


File System Partition 


Partition 01:/ (Root File System) 
Partition 02: Linux Swap partition (Vitual File System) 
Partition 03: /boot(Linux Kernel partition) 

Partition 04: /usr (Shared Binaries partition) 
Partition 05: shome (User partition) 
Partition 06: /chroot(Chroot jail partition) 
Partition O7: Avar (Accounting & Administ ative) 
Partition 08: Avar/lib (Databases partion) 
Partition 09: ‘tmp (Temporary file partition) 














All major file systems are on separate partitions 


As you can see, there are two partitions, which are less common than the others. Lets explain 
each of them in more detail: 
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The /chroot partition can be used for DNS Server chrooted, Apache Web Server chrooted and 
other chrooted future programs. The chroot () command is a Unix system call that is often used 
to provide an additional layer of security when untrusted programs are run. The kernel on Unix 
variants which support chroot () maintain a note of the root directory each process on the 
system has. Generally this is /, but the chroot () system call can change this. When chroot () 
is successfully called, the calling process has its idea of the root directory changed to the 
directory given as the argument to chroot (). 


The /var/1ib partition can be used to handle SQL or Squid Proxy database files on the Linux 
Server. This partition can be useful to limit accidental denial of service attack and to improve the 
performance of the program by tuning the /var/1ib file system. 


Putting /tmp and /home on separate partitions is pretty much mandatory if users have shell 
access to the server (protection against SUID programs), splitting these off into separate 
partitions also prevent users from filling up any critical file system (denial of service attack), 
putting /var, and /usr on separate partitions is also a very good idea. By isolating the /var 
partition, you protect your root partition from overfilling (denial of service attack). 


In our partition configuration we'll reserve 256 MB of disk space for chrooted programs like 
Apache, DNS and other software. This is necessary because Apache DocumentRoot files and 
other binaries, programs related to it will be installed in this partition if you decide to run Apache 
Web Server in a chrooted jail. Note that the size of the Apache chrooted directory on the 
chrooted partition is proportional to the size of your Document Root files or number of users. 


Swap related issues: 

Swap relates to virtual RAM on the system. This special device is needed when you run out of 
physical RAM because you don’t have enough MB of RAM available or your applications required 
more than what is available on your computer. It is not true that swap space is needed on every 
system, but to ensure that you do not run out of swap, it is recommended to create a swap 
partition on the server. 


The 2.4 kernel of Linux is more aggressive than the 2.2 kernels in its use of swap space and the 
optimal sizing of swap space remains dependent on the following: 


The amount of RAM installed 

The amount of disk space available for swap 
The applications being run 

The mix of applications that are run concurrently 


PON = 


No rule-of-thumb can possibly take all these data points into account. However, we recommend 
the following swap sizes: 


e Single-user systems with less than 128MB physical RAM: 256MB 


e Single-user systems and low-end servers with more than 128MB physical RAM: two 
times physical RAM (2xRAM) 


e Dedicated servers with more than 512MB physical RAM: highly dependent on 
environment and must be determined on a case-by-case basis) 
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Minimum size of partitions for very old hard disk: 

For information purposes only, this is the minimum size in megabytes, which a Linux installation 
must have to function properly. The sizes of partitions listed below are really small. This 
configuration can fit into a very old hard disk of 512MB in size that you might find in old i486 
computers. We show you this partition just to get an idea of the minimum requirements. 


4 35MB 
/boot 5MB 

/chroot 10MB 
/home 100MB 
/tmp 30MB 
/usr 232MB 
/var 25MB 














WARNING: Trying to compile program under a 512 MB of hard drive will fail due to the miss of 
available space in this kind of hard disk. Instead, install RPM’s packages. 





Disk Partition (Manual Partitioning) 

Now that we know exactly what partitions we need to create for our new Linux server, it is time to 
choose the partitioning software we will use to make these partitions on the server. With Red Hat 
Linux two programs exist to assist you during this step. During setup, the installation will give you 
two choices, which are: 


e = Manually partition with Disk druid 
e Manually partition with fdisk [experts only] 


Disk Druid is the new software used by default in Red Hat Linux to partition your disk drive, 
this is an easy to use program, which allows you to work through a graphical interface to create 
your partitions tables. 


fdisk was the first partitioning program available on Linux. It is more powerful then Disk 
Druid and allows you to create your partition table in exactly the way you want it (if you want to 
put your swap partition near the beginning of your drive, then you will need to use fdisk). 
Unfortunately, it is also a little more complicated than Disk Druid and many Linux users prefer 
to use Disk Druid for this reason. 


Personally, | prefer to create the required partitions with the fdisk program and | recommend 


you use and be familiar with it, because if in future you want to add or change some file systems 
you will need to use fdisk. 
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Partitioning with Disk Druid 
This section applies only if you chose to use Disk Druid to partition your system. 


Disk Druidis a program that partitions your hard drive for you. Choose “Add” to add a new 
partition, “Edit” to edit a partition, “Delete” to delete a partition and “Reset” to reset the 
partitions to the original state. When you add a new partition, a new window appears on your 
screen and gives you parameters to choose. 


Different parameters are: 


Mount Point: for where you want to mount your new partition in the filesystem. 
Size (Megs): for the size of your new partition in megabytes. 
Partition Type: Linux native for Linux filesystem and Swap for Linux Swap Partition. 


Red Hat Linux 


Online Help Disk Oruid 





Partitions 


é hdaS S734M) (37MM Lirux mative 
Choose where you would tke Red <Swap> hdab 64M 64M Linux swap 
Mot Linux to be installed 


Note: If yeu are performing 3 

Partitionless Installation you 

will need te define an existing 

DOS/Windows partities as rect, 

shown as /. Click on the FAT 

partition you want te select for this 

installation. Once it is highlighted, 

click Edit to assign it the mount id Delete eset Ma | 
point of / (rect). Click OF when bet_| = Bet | 
you're done. Once you have 
confirmed this choice, you wil 
need te define the appropriste 
ameuen of root Gesystern and swap 
spece for your system, 





For more detaided instructions, you 
trast refer to the chapter installing 
Without Partitioning in the Red 
Hat Linax Installation Guide 


If you don't know how to partition a7 


? Hise Help | ? Release Notes SQ Bact | > Ned | 


If you have a SCSI disk, the device name will be /dev/sda and if you have an IDE disk it will be 
/ dev/hda. If you’re looking for high performance and stability, a SCSI disk is highly 
recommended. 








Linux refers to disk partitions using a combination of letters and numbers. It uses a naming 
scheme that is more flexible and conveys more information than the approach used by other 
operating systems. 


Here is a summary: 


First Two Letters — The first two letters of the partition name indicate the type of device on which the 
partition resides. You'll normally see either hd (for IDE disks), or sd (for SCSI disks). 





The Next Letter — This letter indicates which device the partition is on. For example: /dev/hda (the first 
IDE hard disk) and /dev/hdb (the second IDE disk), etc. 








Keep this information in mind, it will make things easier to understand when you're setting up the 
partitions Linux requires. 
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Now, as an example: 
To make the partitions listed below on your system (this is the partition we'll need for our server 
installation example); the commands below are for Disk Druid: 


Step 1 
Execute all of the following commands with Disk Druid to create the require partitions. 


Add 

Mount Point: /boot € our /boot directory (all Kernel images are kept here). 
Size (Megs): 5 

Partition Type: Linux Native 

Ok 


Add 

Mount Point: © our /Swap partition (leave the Mount Point Blank). 
Size (Megs): 512 

Partition Type: Linux Swap 

Ok 


Add 

Mount Point: / € our / directory (the root partition). 
Size (Megs): 256 

Partition Type: Linux Native 

Ok 


Add 

Mount Point: /usxr € our /usr directory (many Linux binaries programs are installed here). 
Size (Megs): 512 

Partition Type: Linux Native 

Ok 


Add 

Mount Point: /home € our /home directory (where users files & directories reside). 
Size (Megs): 5700 

Partition Type: Linux Native 

Ok 


Add 

Mount Point: /chroot € our /chroot directory (for programs installed in chroot jail environment). 
Size (Megs): 256 

Partition Type: Linux Native 

Ok 


Add 

Mount Point: /var € our /var directory (files that change when the system run are keep here). 
Size (Megs): 256 

Partition Type: Linux Native 

Ok 


Add 

Mount Point: /var/1lib € our /var/1ib directory (special partition to handle SQL or Proxy Database files). 
Size (Megs): 1000 

Partition Type: Linux Native 

Ok 


Add 

Mount Point: /tmp € our /tmp directory (partition for temporary files on the system). 
Size (Megs): 227 

Partition Type: Linux Native 

Ok 
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Step 2 
After you have executed the above commands to create and partition your drive with Disk 
Druid, press the Next button and continue the installation to choose partitions to format. 


Partitioning with fdisk 
This section applies only if you chose to use fdisk to partition your system. 


The first thing you will want to do is using the p key to check the current partition information. You 
need to first add your root partition. Use the n key to create a new partition and then select either 
e or p keys for extended or primary partition. 


Most likely you will want to create a primary partition. You are asked what partition number should 
be assigned to it, at which cylinder the partition should start (you will be given a range — just 
choose the lowest number (1)), and the size of the partition. For example, for a 5MB partition, 
you would enter +5M for the size when asked. 


Next, you need to add your extended partition. Use the n key to create a new partition and then 
select the e key for extended partition. You are asked what partition number should be assigned 
to it, at which cylinder the partition should start (you will be given a range — just choose the 
lowest number (2)), and the size of the partition. You would enter the last number for the size 
when asked (or just press Enter). 


You will now want to create the swap partition. You need to use the n key for a new partition. 
Choose logical; tell it where the first cylinder should be (2). Tell £disk how big you want your 
swap partition. You then need to change the partition type to Linux swap. Enter the t key to 
change the type and enter the partition number of your swap partition. Enter the number 82 for 
the hex code for the Linux swap partition. 


Now that you have created your Linux boot and Linux swap partition, it is time to add any 
additional partitions you might need. Use the n key again to create a new partition, and enter all 
the information just as before. Keep repeating this procedure until all your partitions are created. 
You can create up to four primary partitions; then you must start putting extended partitions into 
each primary partition. 








NOTE: None of the changes you make take effect until you save then and exit fdisk using the w 
command. You may quit fdisk at any time without saving changes by using the q command. 





An overview of fdisk 


The command for help is m 

To list the current partition table, use p 

To add a new partition, use n 

To delete a partiotion, use d 

To set or changes the partition type, use t 

To provide a listing of the different partition types and their ID numbers, use 1 
To saves your information and quits fdisk, use w 


VVVVVV V 
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Now, as an example: 
To make the partitions listed below on your system (these are the partitions we'll need for our 
server installation example); the commands below are for fdisk: 


Step 1 
Execute all of the following commands with fdisk to create the require partitions. 


Command (m for help): n 
Command action 
e extended 
p primary partition (1-4) 
Pp 
Partition number (1-4): 1 
First cylinder (1-1116, default 1): 1 
Last cylinder or +size or +sizeM or +sizeK (1-1116, default 1116): +5M€ our 
/boot directory. 


Command (m for help): n 
Command action 
e extended 
p primary partition (1-4) 
e 
Partition number (1-4): 2 
First cylinder (2-1116, default 2): 2 
Last cylinder or +size or +sizeM or +sizeK (2-1116, default 1116): 1116 € our 
extended partition. 





Command (m for help): n 
Command action 
1 logical (5 or over) 
p primary partition (1-4) 
1 
First cylinder (2-1116, default 2): 2 
Last cylinder or +size or +sizeM or +sizeK (2-1116, default 1116): +512M <€ our 
Swap partition. 





Command (m for help): t 

Partition number (1-5): 5 € this is our Swap partition number on this example. 
Hex code (type L to list codes): 82 

Changed system type of partition 5 to 82 )Linux swap) 





Command (m for help): n 
Command action 
1 logical (5 or over) 
p primary partition (1-4) 
1 
First cylinder (68-1116, default 68): 68 
Last cylinder or +size or +sizeM or +sizeK (68-1116, default 1116): +256M € our / 
directory. 


Command (m for help): n 
Command action 
1 logical (5 or over) 
p primary partition (1-4) 
1 
First cylinder (101-1116, default 101): 101 
Last cylinder or +size or +sizeM or +sizeK (101-1116, default 1116): +512M € our 
/usvr directory. 





38 


Linux Installation]0 
CHAPTER | 2 


Command (m for help): n 
Command action 
1 logical (5 or over) 
p primary partition (1-4) 
1 
First cylinder (167-1116, default 167): 167 
Last cylinder or +size or +sizeM or +sizeK (167-1116, default 1116): +5700M € our 
/home directory. 


Command (m for help): n 
Command action 
1 logical (5 or over) 
p primary partition (1-4) 
1 
First cylinder (894-1116, default 894): 894 
Last cylinder or +size or +sizeM or +sizeK (894-1116, default 1116): +256M € our 
/chroot directory. 


Command (m for help): n 
Command action 
1 logical (5 or over) 
p primary partition (1-4) 
1 
First cylinder (927-1116, default 927): 927 
Last cylinder or +size or +sizeM or +sizeK (927-1116, default 1116): +256M € our 
/var directory. 


Command (m for help): n 
Command action 
1 logical (5 or over) 
p primary partition (1-4) 
1 
First cylinder (960-1116, default 960): 960 
Last cylinder or +size or +sizeM or +sizeK (960-1116, default 1116): +1000M € our 
/var/1ib directory. 


Command (m for help): n 
Command action 
1 logical (5 or over) 
p primary partition (1-4) 
1 
First cylinder (1088-1116, default 1088): 1088 


Last cylinder or +size or +sizeM or +sizeK (1088-1116, default 1116): 1116 © our /tmp directory. 


Step 2 
Now, use the p command to list the partition that we’ve created, you must see something like the 
following information on your screen. 


Command (m for help): p 
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Disk /tmp/sda: 255 heads, 63 sectors, 1116 cylinders 
Units = cylinders of 16065 * 512 bytes 
Device Boot Start End Blocks Id System 
/tmp/sdal dl 1 8001 83 Linux 
/tmp/sda2 2 1116 8956237+ 5 Extended 
/tmp/sda5 2 67 530113+ 82 Linux swap 
/tmp/sdaé 68 100 265041 83 Linux 
/tmp/sda7 101 166 530113+ 83 Linux 
/tmp/sda8s 167 893 5839596 83 Linux 
/tmp/sda9 894 926 265041 83 Linux 
/tmp/sdal0 927 959 265041 83 Linux 
/tmp/sdall 960 1087 1028128+ 83 Linux 
/tmp/sdal2 1088 1116 232911 83 Linux 
Step 3 


If all the partitions look fine and meet your requirements, use the w command to write the table to 
disk and exit fdisk program: 


Command (m for help): w 
The partition table has been altered 





Step 4 

After you have partitioned your drive with fdisk, press Next and continue the installation with 
Disk Druid to choose the mount point of the directories. Disk Druid contains a list of all disk 
partitions with filesystems readable by Linux. This gives you the opportunity to assign these 
partitions to different parts of your Linux system when it boots. Select the partition you wish to 
assign and press Enter; then enter the mount point for that partition, e.g., /var. 





; Red Hat Linux 
= 
Online Help Otsk Orvid 
«| Parttions 
Partitions é : 
/ 3734M) (374M Lirux mative 
Choose where you would tke Red <p> hia CAM GAM Lens surep 


Mot Linux to be installed 


Note: if yeu are performing 3 
Partitionless Installation you 
vill need te define an existing 
DOS/Windows partitien as rect, 
shown as /. Click on the FAT 
partition you want to select for this 
installation. Once it is highlighted, 
click Edit to assign it the mount 
point of /(reet). Click O% when 
you're done. Once you have 
confirmed this choice, you wil 
need te define the appropriste 
ameur of root Mesystem and swap 
space for your system. 


For more detaded instructions, you 
tmuast refer to the chapter /nstniling 
Without Partitioning in the Red 
Hat Linax Installation Guide 


Ifyou don't know how to partition s 


? Hie Help | P Release Notes 





40 


Linux Installation |0 
CHAPTER | 2 


Step 5 
After the mount points for the directories have been completed, you must see something like the 
following on your screen. Our mount points look like this: 


Disk Druid 

Partitions 

Mount Point Device Requested Actual Type 

/boot sdal 7M 7M Linux Native 
<Swap> sda5 oT 517 Linux Swap 

/ sda6 258 258M Linux Native 
/usr sda7 517 517M Linux Native 
/home sda8 5702M 5702M Linux Native 
/chroot sda9 258 258 Linux Native 
/var sdal0 258 258M Linux Native 
/var/lib sdall 1004M 1004M Linux Native 
/tmp sdal2 227 227 Linux Native 




















Drive Summary 


Drive Geom [C/H/S] Total (M) Free (M) Used (M) Used (3%) 
sda [1116/255/63] 8754M 1M 8753M 99% 
Step 6 


Now that you have partitioned and chosen the mount points of your directories, select Next to 
continue. After your partitions are created, the installation program will ask you to choose which 
partitions to format. Choose the partitions, check the (Check for bad blocks while formatting) 
box, and press Next again. This formats the partitions and makes them active so Linux can use 
them. 








NOTE: Checking for bad blocks can help prevent data loss by finding the bad blocks on a drive 
and making a list of them to prevent data from being written to them in the future. 





: Red Hat Linux | 
Onli Help Choose partons to Format 
PF fdevndas / 
Choose Partitions F7 fdevmdat foot 
to Format 


Choose the partitions that you 
would xe to format for Red Hat 
Linux. 


Do you want te check for bad 
blocks? 


Checking for bad blocks can help 
prevent dats loss by Gesding the bad 
blocks on a drive and making a lst 
of ther to prevent dota from being 
veritten to them in the future 


[ Check for bad blocks while formatting 


? Hise Help | ? Release Notes Bact | | Ned 
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System Configuration 

On the next screen you will see the LILO Configuration screen. LILO, the LInux LOader, is 
software that can be used to start Linux on your computer. From this screen, you will see different 
configurable options related to LILO. 


Online Help Ufo Configuration 
“| [7 Create boot disk 
LILO P Install LILO 
Configuration instal LILO boot record on 
(© /devinda Master Boot Record (MER) 
LILO, the Linux LOader, is 
software that can be used to start ( /devindal First sector of boot partiton 
Red Mot Linux on your computer. It F7 Use Snear mode (needed for some SCSI drives) 
can also stext other operating Kernel parameters | 
systems, such as Windows 9x 
Here, you'll be asked how (or Parttion: /devindaS Type-Linux Naive 
whether) you wees to configure [7 Default boot image 
LILO 
Boot tabel flex 


Create boot disk: You sheuld 
create a boot disk if you are not 
installing LILO om the MBR orif 
you are not installing LILO at all 





Do not install LILO; You can 
choose to skip LILO if you do not 
wert to wre LILO to your drive. If 
you have twe hard drives with a 
different OS on each drive, you 
may prefer to use a boot disk rather 


then LILO 
To install LILO, select where you 3 
P Hide Help| —_P Retease Notes J Back 





The first option is: 

e Create boot disk 
The Create boot disk option is checked by default. If you do not want to create a boot disk, you 
should deselect this option. Also, this option must be checked if you decide to not install LILO on 
the MBR (the Master Boot Record) or if you are not installing LILO at all. 
The second option is: 

e Do not install LILO 
This option allows you to skip installing LILO if you use a boot disk rather than LILO to start your 
system. This can greatly improve security in some case since you need to have a bootable Linux 


floppy with the kernel on it to start the server. But in other hand, you will not be able to restart the 
server remotely if something happens. 
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The third option (the one that we will chose) installs L1L0 in your Linux system and gives you 
the choice to install LILO boot record on: 


e Master Boot Record (MBR) 
e First Sector of Boot Partition 


Usually, if Linux is the only Operating System on your machine (and this must be the case in a 
server installation), you should choose the “Master Boot Record (MBR)” option. 


Network Configuration 
After that, you need to configure your network. If you have multiple Ethernet devices, each device 
will have its own configuration screen. 
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Firewall Configuration 

The latest release of Red Hat Linux now offers the possibility to configure a Firewall during 
installation. This is OK for the average end user but NOT for serious Firewall security. This newly 
added feature uses the old IPCHAINS tool of Linux with the help of a small utility named 
“Lokkit” to set up your firewall. | highly recommend you to deactivate this feature now and see 
later chapters on how to install and configure IPTABLES, which is the new Firewall tool to use 
with Linux and kernel 2.4 generation. 





From the next screen that appears, you will see three different security levels available, choose 
the “No firewall” option and click Next. 
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Language Support Selection 

Multiple language selection is now possible with this release of Linux. With the internalization, a 
need for different language support has appeared. From here the installation will ask you to 
choose the default language that will be used on your Linux system once the installation is 
complete. If you are only going to use one language on your system, selecting only this language 
will save significant disk space. 
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Time Zone Selection 
On the next screen, you will have the opportunity to set your time zone. Once selected click Next. 
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Account Configuration 
After the clock has been configured, you need to give your system a root password account. 
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Authentication Configuration 
Finally, the last stage is the authentication configuration. For Authentication Configuration don’t 
forget to select: 


v Enable MD5 passwords 
v Enable Shadow passwords 


. Red Hat Linux 
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Enable MD5 passwords - allows a long password to be used (up to 256 characters), instead of the 
Unix standard eight letters or less. 





Enable shadow passwords - provides a very secure method of retaining passwords for you. All 
passwords are stored in a file named shadow, which is readable only by the super-user root. 


Enable NIS, LDAP, and Kerberos doesn’t need to be selected since we are not configuring 
these services on this server right know. 


Selecting Package Groups 

After your partitions have been configured and selected for formatting and configurations have 
been set for your specific system, you are ready to select packages for installation. By default, 
Linux is a powerful operating system that runs many useful services. However, many of these 
services are unneeded and pose potential security risks. 


Ideally, each network service should be on a dedicated, single-purpose host. Many Linux 
operating systems are configured by default to provide a wider set of services and applications 
than are required to provide a particular network service, so you may need to configure the server 
to eliminate unneeded services. Offering only essential services on a particular host can enhance 
your network security in several ways: 


vy Other services cannot be used to attack the host and impair or remove desired network 
services. 
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v_ The host can be configured to better suit the requirements of the particular service. 
Different services might require different hardware and software configurations, which 
could lead to needless vulnerabilities or service restrictions. 


v¥ By reducing services, the number of logs and log entries is reduced so detecting 
unexpected behavior becomes easier. 


Y Different individuals may administer different services. By isolating services so each host 
and service has a single administrator you will minimize the possibility of conflicts 
between administrators. 


A proper installation of your Linux server is the first step to a stable, secure system. From the 
screen menu that appears (Selecting Package Groups), you first have to choose which system 
components you want to install, in our case, we must DESELECT ALL CHECKED Package 
Groups on the list. 


Since we are configuring a Linux Server, we don’t need to install a graphical interface (xFree86) 
on our system (a graphical interface on a server means less processes, less CPU availability, 
less memory, security risks, and so on), also computers are subject to the treachery of images as 
well. The image on your computer screen is not a computer file -- it's only an image ona 
computer screen. Images of files, processes, and network connections are very distant cousins of 
the actual bits in memory, in network packets, or on disks. 


Layer upon layer of hardware and software produces the images that you see. When an intruder 
"owns" a machine, any of those layers could be tampered with. Application software can lie, OS 
kernels can lie, boot PROMs can lie, and even hard disk drives can lie. Graphical interfaces are 
usually used on only workstations. 


Step 1 
First of all, it is vital to verify and be SURE to deselect all of the following Package Group: 


¥ Printer Support v¥ SMB (Samba) Server 

v¥ X Window System vy IPX/Netware™ Connectivity 
¥ GNOME v Anonymous FTP Server 

¥ KDE ¥ SQL Server 

¥ Mail\WWW/News Tools v Web Server 

¥ DOS/Windows Connectivity vy DNS Name Server 

¥ Graphics Manipulation v¥ Network Management Workstation 
¥ Games ¥_ Authoring/Publishing 

¥ Multimedia Support vy Emacs 

v¥ Laptop Support ¥ Development 

v¥ Networked Workstation v_ Kernel Development 

¥ Dialup Workstation ¥ Utilities 

v News Server v¥ Everything 

v NFS Server 


To resume, it is very important and | say VERY IMPORTANT to deselect (none is selected) every 
selected Packages Group before clicking on the Next button for continuing the installation. 


47 


Linux Installation |0 
CHAPTER | 2 


We don’t want and don't need to install any additional packages. The default install of this Linux 
distribution already comes with the most essential programs we need for the functionality of the 


operating system. 
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NOTE ABOUT SYSTEM SIZE: At this stage of our installation of Linux, the total install size will be 
224MB if you have deselected all menu packages group as described above. 





Step 2 


At this point, the installation program will check dependencies in packages selected for 
installation (in our case no packages are selected) and format every partition you selected for 
formatting in you system. This can take several minutes depending on the speed of your 
machine. Once all partitions have been formatted, the installation program starts to install Linux to 


your hard drive. 
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How to use RPM Commands 

This section contains an overview of using RPM for installing, uninstalling, upgrading, querying, 
listing, and checking RPM packages on your Linux system. You must be familiar with these RPM 
commands now because we'll use them often in this book and especially later in this chapter for 
software that must be uninstalled after installation of the server. 


e To install a RPM package, use the command: 
[root@deep /]# rpm -ivh foo-1.0-2.i386.rpm 
foo HRT HEE ERE EE EEE HE HEHE EE HEE EE HE ERE EEE RE EE HEE EE HE HE HE 


Note that RPM packages have a file of names like foo-1. 0-2 .i386.xrpm, which include the 
package name (foo), version (1.0), release (2), and architecture (1386). 


e To uninstall a RPM package, use the command: 
[root@deep /]# rpm -e foo 


Notice that we used the package name “foo”, not the name of the original package file “E£oo- 
1.0-2.1386.rpm’. 


e To upgrade a RPM package, use the command: 
[root@deep /]# rpm —-Uvh foo-1.0-2.i386.rpm 
foo FREE EHEE E EEE HE HE ERE EE HEE EE EERE EEE RE EE HEE EE HEH HEH 


With this command, RPM automatically uninstalls the old version of foo package and installs the 
new one. Always use rpm —Uvh to install packages, since it works fine even when there are no 
previous versions of the package installed. 


e To query a RPM package, use the command: 
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[root@deep /]# rpm -q foo 
foo-2.3-8 


This command will print the package name, version, and release number of installed package 


foo. Use this command to verify that a package is or is not installed on your system. 


e To display package information, use the command: 
[root@deep /]# rpm -qi foo 





Name : foo Relocations: none 

Version ee es Vendor: OpenNA.com, Inc. 

Release : 8 Build Date: Thu 24 Aug 2000 11:16:53 AM 
Install date: Mon 12 Feb 2001 01:17:24 AM EST Build Host: openna.com 
Group : Applications/Archiving Source RPM: foo-2.3-8.src.rpm 
Size : 271467 License: distributable 
Packager : OpenNA.com, Inc. <http://www.openna.com/> 

Summary : Here will appears summary of the package. 


Description : Here will appears the description of the package. 


This command displays package information; includes name, version, and description of the 
installed program. Use this command to get information about the installed package. 


e To display package information before installing the program, use the command: 
[root@deep /]# rpm -qpi foo-2.3-8.i386.rpm 





Name : foo Relocations: none 

Version ee Vendor: OpenNA.com, Inc. 

Release 2.8 Build Date: Thu 24 Aug 2000 11:16:53 AM 
Install date: Mon 12 Feb 2001 01:17:24 AM EST Build Host: openna.com 
Group : Applications/Archiving Source RPM: foo-2.3-8.src.rpm 
Size : 271467 License: distributable 
Packager : OpenNA.com, Inc. <http://www.openna.com/> 

Summary : Here will appears summary of the package. 


Description : Here will appears the description of the package. 


This command displays package information; includes name, version, and description of the 
program without the need to install the program first. Use this command to get information about 
a package before you install it on your system. 


e To list files in a installed RPM package, use the command: 
[root@deep /]# rpm -ql foo 
/usr/bin/foo 
/usr/bin/fool 
/usr/sbin/foo2 


This command will list all files in a installed RPM package. It works only when the package is 
already installed on your system. 


e To list files in package that is not already installed, use the command: 
[root@deep /]# rpm -qpl foo 
/usr/lib/foo 
/usr/bin/fool 
/usr/sbin/foo2 


This command will list all files in a RPM package that is not already installed on your system. It is 
useful when you want to know which components are included in the package before installing it. 
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e To know which files is part of which package, use the command: 
[root@deep /]# rpm -qf /etc/passwd 
setup-2.3.4-1 


This command will show you from which RPM package the file comes from. It works only when 
the package is already installed on your system and it is very useful when you see some files into 
Linux that you do not know about it and want to get more information about its RPM provenance. 


e Tocheck a RPM signature package, use the command: 
[root@deep /]# rpm --checksig foo 


This command checks the PGP signature of specified package to ensure its integrity and origin. 
Always use this command first before installing new RPM package on your system.GnuPG or PGP 
software must be already installed on your system before you can use this command. See the 
chapter related to GnuPG installation and configuration for more information. 


e To examine only the md5sun of the package, use the command: 
[root@deep /]# rpm --checksig --nogpg foo 


The RPM md5sun is useful to verify that a package has not been corrupted or tampered with. 
You can use it to be sure that the download of your new RPM package was not corrupted during 
network transfer. 


Starting and stopping daemon services 

The init program of Linux (also Known as process control initialization) is in charge of starting 
all the normal and authorized processes that need to run at boot time on your system. These may 
include the APACHE daemons, NETWORK daemons, and anything else that must be running 
when your machine boots. Each of these processes has a script under the /etc/rce.d/init.d 
directory written to accept an argument, which can be start, stop, restart, etc. You can also 
execute those scripts by hand: 


For example: 


e To start the httpd Web Server daemon manually under Linux, you'll type: 
[root@deep /]# /etc/re.d/init.d/httpd start 
Starting httpd: [OK] 


e Tostop the httpd Web Server daemon manually under Linux, you'll type: 
[root@deep /]# /etc/re.d/init.d/httpd stop 
Shutting down http: [OK] 


e To restart the httpd Web Server daemon manually under Linux, you'll type: 
[root@deep /]# /etc/re.d/init.d/httpd restart 
Shutting down http: [OK] 
Starting httpd: [OK] 


Check inside your /etc/rc.d/init.d directory for services available and use the commands 
start | stop | restart to work around. 
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Software that must be uninstalled after installation of the server 

Red Hat Linux installs other programs on your system by default and doesn’t give you the choice 
to uninstall them during the install setup or programs which are going to be compiled from 
tarballs (Source code). For this reason, you must uninstall the following software on your system 
after the installation of your Linux server. 


In the table below, you'll find a partial list of software that must be uninstalled once the installation 
of your Linux server has been completed. 


anacron hotplug pciutils 
apmd ipchains pump 

at ksymoops raidtools 
dhcpcd kudzu redhat-logos 


dosfstools lokkit redhat-release 
eject mailcap setserial 





Use the following RPM command to uninstall them: 


e The command to uninstall RPM’s software is: 
[root@deep /]# rpm -e <softwarenames> 


Where <softwarenames> is the name of the software you want to uninstall e.g. (foo). 


Step 1 
Programs like apmd, Sendmail, at and anacron are daemons that run as process. It is better 
to stop those processes before uninstalling them from the system. 


e To stop those processes, use the following commands: 
root@deep / /etc/re.d/init.d/apmd stop 
hutting down APM daemon: OK 


n 


root@deep / /etc/re.d/init.d/sendmail stop 
hutting down sendmail: OK 


n 


root@deep / /etc/re.d/init.d/atd stop 
Stopping at daemon: OK 














root@deep / /etc/re.d/init.d/anacron stop 
hutting down anacron: OK 














n 


Step 2 
Once the processes apmd, sendmail, at and anacron programs have been stopped, you can 
safely uninstall them, and all the other packages, as shown below: 


e To remove all the unneeded packages together, use the following commands: 
[root@deep /]# rpm -e --nodeps anacron apmd at dhcpcd dosfstools eject 
hotplug ipchains ksymoops kudzu lokkit mailcap pciutils pump raidtools 
redhat-logos redhat-release setserial 


[root@deep /]# rm -rf /var/spool/anacron/ 
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Step 3 

The program hdparm is needed by IDE hard disks but not ScST hard disks. If you have an IDE 
disk on your system you must keep this program (hdparm), but if you don’t have an IDE hard 
disk you can remove it safely from your system. hdparm is used to optimize your IDE hard drive. 
SCSTI hard drives doesn’t need to be optimized since they are capable to run at their full soeed 
(80 Mps to 160 Mps) without modification. 














e To remove the hdparm package from your system, use the following command: 
[root@deep /]# rpm -e hdparm 


Step 4 

The program mkinitrd is needed by SCSI or RAID hard disk but not IDE hard disks. If you 
have a SCSI Or RAID disk on your system you must keep this program (mkinitrd), but if you 
don’t have a SCSI or RAID hard disk you can safely remove it from your system. 





e To remove the mkinitrd package from your system, use the following command: 
[root@deep /]# rpm -e --nodeps mkinitrd 


Step 5 

Use the programs kbdconfig, mouseconfig, timeconfig, authconfig, ntsysv, and 
setuptool in order to set your keyboard language and type, your mouse type, your default time 
zone, your NIS and shadow passwords, your numerous symbolic links in /etc/rc.d directory, 
and text mode menu utility which allow you to access all of these features. After those 
configurations have been set during the installation stage of your Linux server it’s rare that you 
would need to change them again. So, you can uninstall them, and if in the future you need to 
change your keyboard, mouse, default time, etc again via test mode menu, all you have to do is 
to install the program with the RPM from your original CD-ROM. 


e To remove all the above programs from your system, use the following command: 
[root@deep /]# rpm -e kbdconfig mouseconfig timeconfig authconfig ntsysv 
setuptool 


Step 6 

The program quota is a system administration tools for monitoring and limiting user/group disk 
usage, per file system. This program must be installed only on servers where the need for 
monitoring and restricting amount of disk space in users directories is require. 


e To remove the quota package from your system, use the following command: 
[root@deep /]# rpm -e quota 


Step 7 

Even if you have not intending to install a mail server on your Linux system, the program 
Sendmail (or equivalent program) is always needed on your servers for potential messages sent 
to the root user by different software services installed on your machine. 
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Sendmail is a Mail Transport Agent (MTA) program that sends mail from one machine to 
another. It can be configured in different manners; it can serve as an internal delivery mail system 
to a Mail Hub Server, or can be configured to be a Central Mail Hub Server for all Sendmail 
machines on your network. So depending on what you want to do with Sendmail, you must 
configure it to respond to your specific needs and speed. For this reason you must uninstall 
Sendmail and see the part in this book that is related to Mail Transfer Agent configuration and 
installation. 


e To remove the sendmail package from your system, use the following command: 
[root@deep /]# rpm -e sendmail 


Step 8 

Procmail is a mail-processing program, which can be used by Sendmail for all local mail 
delivery. This program is required only if you decide to install and use Sendmail on your server 
as a Central Mail Hub Server, and only if Sendmail is installed as a Central Hub Server. Since 
only a mail server with Sendmail as a MTA required procmail, it is better to uninstall 
procmail and install it only on the machine that will become your mail server with Sendmail. 


e To remove the procmail package from your system, use the following command: 
[root@deep /]# rpm -e procmail 


Step 9 

The OpenLDAP software is a set of protocols for accessing directory services like phone book 
style information and other kinds of information over the Internet. This useful program is not 
suitable for everyone and depends of what you want to do with your system. If you want to give it 
a try, see later in this book under the chapter related to databases for more information. 


e To remove the OpenLDAP package from your system, use the following command: 
[root@deep /]# rpm -e openldap 


Step 10 

The Cyrus SASL implementation is the Simple Authentication and Security Layer, a method for 
adding authentication support to connection-based protocols. It is used in conjunction with 
Cyrus, which is an electronic messaging program like Sendmail. Since we don’t use and don’t 
talk about it in this book, we can safety remove it. 


e To remove the Cyrus SASL package from your system, use the following command: 
[root@deep /]# rpm -e cyrus-sasl 


Step 11 

OpenSSL is an SSL encryption mechanism which ensures and provides safe and secure 
transactions of data over networks. This piece of software is one of the most important tools for a 
Linux server and it is highly recommended that it is installed. Unfortunately, the one that comes 
with Red Hat Linux is not up to date and not optimized for our specific server. For this reason, we 
will uninstall it now and see later in this book, under the chapters related to security software, how 
to install, secure, optimize and use it. 


e To remove the OpenSSL package from your system, use the following command: 
[root@deep /]# rpm -e openssl 
[root@deep /]# rm -rf /usr/share/ssl1/ 
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Step 12 

The ash package is a smaller version of the Bourne shell (sh). Since we already use sh, we can 
uninstall this package from our system. If you use this program in your regular administration 
task, then keep it installed on your server. 


e To remove the ash package from your system, use the following command: 
[root@deep /]# rpm -e ash 


Step 13 
The time package is a utility for monitoring a program’s use of system resources and can be 
used by developer to optimize their programs. This program is useful for developers. 


e To remove the time package from your system, use the following command: 
[root@deep /]# rpm -e time 


Step 14 

The krb5-1ibs package contains the shared libraries needed by Kerberos 5. Because we're 
not using Kerberos, we'll need to uninstall this package. Kerberos is not secure as you can 
think and can be cracked easily with some good knowledge of this program. Anyway it is yours to 
decide if you really need it. 


e To remove the krb5-1libs package from your system, use the following command: 
[root@deep /]# rpm -e krb5-libs 
[root@deep /]# rm -rf /usr/kerberos/ 


Descriptions of programs that must be uninstalled after installation of the server 
Below is the list of programs and a short description of their purpose. We must uninstall them for 
increased security and to make more space on our server. For more information and an 
explanation of their capabilities and uses, please see your Red Hat manual or query the package 
by making an “rpm -qi foo” command before uninstalling it. 


e The anacron package is similar to the cron package but differ in the way that it does 
not assume that the system is running continuously and it is a good command scheduler 
for system which don’t run 24 hours a day. [Unnecessary for a server] 


e The apmd package, or advanced Power Management daemon utilities, can watch your 
notebook's battery and warn all users when the battery is low. [Unnecessary for a 
server] 


e The at package is a utility that will do time-oriented job control by scheduling a command 
to run later. Unfortunately, it has had a rich history of problems and we can achieve the 
same functionality with the more secure vixie—cron package. For this reason | 
recommend you to uninstall it. [Security Risks] 


e The dhcpcd package contains the protocol, which allows systems to get their own 
network configuration information from a DHCP server. If your are going to use DHCP on 
your network, it is recommended to install the DHCP client included in the pump package, 
which provides a faster and simpler DHCP client. [Unnecessary] 
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The dosfstools package contains utilities for making and checking MS-DOS FAT file 
systems on Linux. Remember that we want to install a Linux server on our system and 
not a PC with two different operating systems on it. Therefore we must uninstall this 
program from our computer. [Unnecessary, we run a server] 


The eject package contains an eject program that allows the user to eject removable 
media (typically CD-ROMs, floppy disks, lomega Jaz or Zip disks) using software. 
[Necessary only if you have a tape backup on this server] 


The hotplug package is a helper application for loading modules for USB devices. On a 
server environment, USB devices are not used at all and are required only on Linux 
workstation. [Unnecessary, we run a server] 


The ipchains package is the old tool used with Linux kernel 2.2 for managing Linux 
kernel packet filtering capabilities and to set up firewalling on the network. A new and 
more powerful tool named “IPTABLES” exists and this is the one that we will use later in 
the book to set up our firewall on Linux. [Unnecessary] 





The ksymoops package is a small tool used to report kernel oops and error message 
decoder. This package is useful for developers that work on the Linux kernel and want to 
debug or for users that want to report bugs with the kernel. The same result can be 
achieved with the dmesg command of Linux. [Unnecessary] 


The kudzu package is a hardware-probing tool run at system boot time to determine 
what hardware has been added or removed from the system. [Unnecessary, we run a 
server] 


The Lokkit package is a Firewall configuration application for an average end user and 
it is not designed to configure arbitrary firewalls since it is solely designed to handle 
typical dialup user and cable modem set-ups. It is not the answer to a complex firewall 
configuration, and it is not the equal of an expert firewall designer. [Unnecessary] 


Metamail is a program that uses the mailcap file to determine how it should display 
non-text or multimedia material. [Unnecessary] 


The pciutils package contains various utilities for inspecting and setting devices 
connected to the PCI bus. [We use other methods] 


The Pump DHCP package allows individual diskless clients on a network to get their own 
IP network configuration information from network servers. [Unnecessary] 


The raidtools package includes the tools you need to set up and maintain a software 
RAID device on a Linux system. [Depending if you use Raid or not] 


The redhat-logos package contains files of the Red Hat "Shadow Man" logo and the 
RPM logo. [Unnecessary on a server] 


The redhat-release package contains the Red Hat Linux release file. [Unnecessary] 





The setserial package is a basic system utility for displaying or setting serial port 
information. [Unnecessary] 
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NOTE ABOUT SYSTEM SIZE: If all the packages described in this section have been uninstalled from 
the system, then our install size of Linux is now 132MB. 





Remove unnecessary documentation files 

Well, 132MB is very good but we can do more. By default the majority of each RPM’s packages 
installed under Linux comes with documentation files related to the software. This documentation 
contains original files from the program tar archive like README, FAQ, BUG, INSTALL, NEWS, 
PROJECTS and more. 




















Many of them can be easily retrieved from the website where the program has been downloaded 
and it makes no sense for them to be kept on your system. | know that hard drives costs have 
come down considerably recently, but why keep this kind of documentation on a secure server if 
it unlikely they will not be read more than once. Anyway, have a look inside those files and decide 
for yourself if you want to remove them or not. 


e To remove all documentation files from your system, use the following commands: 
[root@deep /]# ed /usr/share/doc/ 
[root@deep doc]# rm -rf * 








NOTE ABOUT SYSTEM SIZE: If all the documentation files have been removed from the system, then 
our install size of Linux is now 118MB. 





Remove unnecessary/empty files and directories 

There are some files and directories we can remove manually from the file system of Linux to 
make a clean install. These files and directories are not needed but still exist after our secure 
installation of Linux and can be removed safely. Some are bugs from the Red Hat installation 
script and others are created by default even if you don’t use them. 


e To remove all unnecessary/empty files and directories from your system, use the 
following commands: 











root@deep / rm -£ /etc/exports 
root@deep / rm -£ /etc/printcap 
root@deep / rm -£ /etc/ldap.conf 
root@deep / rm -£ /etc/yp.conf 
root@deep / rm -f£ /etc/hosts.allow 
root@deep / rm -£ /etc/hosts.deny 
root@deep / rm -rf /etc/xinetd.d/ 
root@deep / rm -rf /etc/hotplug/ 
root@deep / rm -rf /etc/ppp/ 
root@deep / rm -rf /etc/opt/ 
root@deep / rm -rf /etc/X11/ 
root@deep / rm -rf /opt/ 

root@deep / rm -rf /var/opt/ 
root@deep / rm -rf /var/nis/ 
root@deep / rm -rf /var/spool/lpd/ 
root@deep / rm -rf /usr/X11R6/ 
root@deep / rm -rf /usr/etc/ 
root@deep / rm -rf /usr/local/ 
root@deep / rm -rf /usr/dict/ 
root@deep / rm -f£ /usr/bin/X11 
root@deep / rm -£ /usr/bin/kbdrate 
root@deep / rm -f£f /usr/1lib/X11 
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[root@deep /]# rm -£ /usr/1lib/libcrypto.so.1 
[root@deep /]# rm -£ /usr/lib/libssl.so.1 
[root@deep /]# rm -rf /usr/lib/games/ 
[root@deep /]# rm -rf /usr/share/empty/ 
[root@deep /]# rm -rf /usr/share/pixmaps/ 








NOTE: If in the future you want to install a program which needs some of the files/directories we 
have removed, then the program will automatically recreate the missing files or directories. Good! 





Software that must be installed after installation of the server 

There are certain programs required to be able to compile programs on your server, for this 
reason you must install the following RPM packages. This part of the installation is very important 
and requires that you install all the packages described below. 


These are on your Red Hat Part 1 and Part 2 CD-ROMs under RedHat/RPMS directory and 
represents the necessary base software needed by Linux to compile and install programs. Please 
note that if you don’t want to compile software in your server or if you only use RPM’s packages 
to update programs or if you use a dedicated server to develop, compile or create your own 
RPM’s packages which will be installed later along your network on the servers, then you DON’T 
need to install the packages described here. 


Step 1 
First, we mount the CD-ROM drive and move to the RPMS subdirectory of the CD-ROM. 


e To mount the CD-ROM drive and move to RPM directory, use the following commands: 
[root@deep /]# mount /dev/cdrom /mnt/cdrom/ 
had: ATAPI 32X CD-ROM drive, 128kB Cache 
mount: block device dev/cdrom is write-protected, mounting read-only 
[root@deep /]# cd /mnt/cdrom/RedHat /RPMS/ 


These are the packages that we need to be able to compile and install programs on the Linux 
system. Remember, this is the minimum number of packages that permits you to compile most of 
the tarballs available for Linux. Other compiler packages exist on the Linux CD-ROM, so verify 
with the README file that came with the tarballs program you want to install if you receive error 
messages during compilation of the specific software. 














The compiler packages: 

Compiler packages contains programs and languages used to build software on the system. 
Remember to uninstall all of the following compiler packages after succesfull installation of all 
software required on your Linux server. 








binutils-2.10.91.0.2-3.1386.rpm flex-2.5.4a-13.1386.rpm 
bison-1.28-5.1386.rpm gcc-2.96-81.1386.rpm 
byacc-1.9-18.i386.rpm gec-ct+-2.96-81 
cdec1-2.5-17.1386.rpm kernel-headers-—2.4.2-2.1386.rpm 
cpp-2.96-81.1386.rpm m4-1.4.1-4.1386.rpm 
cproto-4.6-7.1386.rpm make-3.79.1-5.1386.rpm 
ctags—4.0.3-1.1386.rpm patch-2.5.4-9.i386.rpm 
dev86-0.15.0-5.1386.rpm perl—-5.6.0-12.1386.rpm 
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The development packages: 

Development packages contain header and other files required during compilation of software. In 
general, development packages are needed when we want to add some specific functionality to 
the program that we want to compile. For example if | want to add PAM support to IMAP, I’ll need 
pam-devel, which contains the required header files for IMAP to compile successfully. 


As for compiler packages, all development packages must be uninstalled after successful 
compilation of all the software that you need on your Linux server. Remember to uninstall them 
since they are not needed for proper functionality of the server, but just to compile the programs. 








aspell-devel-0.32.6-2 
db3-devel-3.1.17-7 
freetype-devel-2.0.1-4 
gd-devel-1.8.3-7 





libpng-devel-1.0.9-1 
libstdc++-devel-2.96-81 
ncurses-—devel-5.2-8 
pam-devel-0.74-22 











gdbm-devel-1.8.0-5 pspell-devel-0.11.2-2 
glibc-devel-2.2.2-10 zlib-devel-1.1.3-22 
libjpeg-devel-6b-15 








Dependencies packages: 

Dependencies packages are other RPM packages needed by the RPM packages that we want to 
install. This happens because some RPM’s are directly linked with others and depend on each 
one to function properly. The following packages are required by the above RPM packages and 
we will install them to satisfy dependencies. After proper compilation and installation of all needed 
software on the Linux server, we can uninstall them (if not needed by special program that we will 
install) safety. 














GAH 38.327 libpng-1.0.9-1 
freetype-2.0.1-4 libtool-libs-1.3.5-8 
libjpeg-6b-15 pspell-0.11.2-2 

Step 2 


It is better to install the software described above together if you don’t want to receive 
dependencies error messages during the install. Some of the RPMs reside on CD-ROM Part 1 
and other on CD-ROM Part2 of Red Hat. For easy installation, | recommend you to copy all of the 
required packages (compilers and development) to your hard drive and install them from there. 


e These procedures can be accomplished with the following commands: 
[root@deep /]# cd /var/tmp/ 
[root@deep tmp]# rpm —-Uvh *.rpm 
binutils 
bison 
byacc 
cdecl 
cpp 
cproto 
ctags 
dev86 
flex 
gcc 
kernel—headers 
gec-ctt+ 
m4 
make 
patch 
perl 
aspell-devel 
db3-devel 
freetype-devel 
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gd-devel 
gdbm-devel 
glibc-devel 
libjpeg-devel 
libpng-devel 
libstdc++-devel 
ncurses-—devel 
pam-devel 
pspell-devel 
zlib-devel 

gd 

libjpeg 
libpng 

pspell 
freetype 
libtool-libs 




















































































































































































































































































































NOTE: Some of the RPM reside on CD-ROM part 1 and other on CD-ROM Part2 of Red Hat. For 
easy installation, | recommend you to copy all of the required packages (compilers and 
development) to your hard drive and install them from there. 


NOTE ABOUT SYSTEM SIZE: If you have installed all the require packages described above to be 
able to make compilation in the system, then our install size of Linux is now 222MB. 





Step 3 


This step is required only if you also want to use the Linux server to compile programs and 
services. If you have a dedicated system to compile and build RPM packages, which can be 
installed on the other servers on your network, you don’t need this step. 


After installation and compilation of all programs and services, it’s a good idea to remove all 
sharp objects (compilers, etc) described above unless they are required by your system. A few 
reasons are: 


v 


If a cracker gains access to your server he or she cannot compile or modify binary 
programs. Also, this will free a lot of space and will help to improve regular scanning of 
the files on your server for integrity checking. 


When you run a server you will give it a special task to accomplish. You will never put all 
services you want to offer in one machine or you will lose speed (resources available 
divided by the number of process running on the server) 


Decrease your security with a lot of services running on the same machine, if a cracker 
accesses this server, he or she can attack directly all the others available. 


Having different servers doing different tasks will simplify the administration, and 
management. You know what task each server is supposed to do, what services should 
be available, which ports are open to clients access and which one are closed, you know 
what you are supposed to see in the log files, etc, and give you more control and 
flexibility on each one (server dedicated for mail, web pages, database, development, 
backup, etc. 
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vY For example, one server specialized just for development and testing will mean you will 
not be compelled to install compiler programs on a server each time you want to compile 
and install new software on it, and be obliged afterwards to uninstall the compilers, or 


other sharp objects. 


Verifying installed programs on your Server 


If you have followed each step exactly as described, this is the list of all installed programs that 
you should have on your server after the complete installation of Linux. 


Step 1 


This list must match exactly the install.1log file located in your /tmp directory or you could 


run into problems. 





glibc-common 
mailcap 
redhat-—logos 
redhat-—release 
setup 
filesystem 
basesystem 
glibc 
termcap 
bdflush 
chkconfig 
cracklib 
db1 

db2 

db3 
dosfstools 
e2fsprogs 
eject 

file 

gdbm 

glib 
hdparm 
ksymoops 
libtermcap 
losetup 
mailx 
mingetty 
mktemp 
bash 

bzip2 
hotplug 
libstdc++ 
grofft 
MAKEDEV 
modutils 
ncurses 
info 

cpio 
diffutils 





ed 
fileutils 
at 
findutils 
gawk 
GeCtSext 
grep 

ash 
dheped 
gzip 

less 

man 
net-tools 
openssl 
popt 
logrotate 
procmail 
procps 
psmisc 
pwdb 
raidtools 
readline 
rootfiles 
sed 
console-tools 
setserial 
shadow-utils 
dev 

slang 
newt 
kbdconfig 
ntsysv 
setuptool 
slocate 
sysklogd 
syslinux 
tar 
textutils 
mount 





mkinitrd 
lilo 
mkbootdisk 
mouseconfig 
time 
tmpwatch 
crontabs 
utempter 
vim-—common 
vim-minimal 
which 

words 
cracklib-dicts 
pam 
authconfig 
cyrus-sasl 
gpm 

kudzu 
passwd 
sh-utils 
krb5-libs 
openldap 
sendmail 
SysVinit 
zlib 

rpm 
util-linux 
initscripts 
apmd 
devfsd 
ipchains 
kernel 
lokkit 
pciutils 
pump 

quota 
timeconfig 
vixie-cron 
anacron 











NOTE: All texts in bold are packages that we have uninstalled from the default install list. 
Remember that some of these RPM packages will be reinstalled manually later in this book and 


most are unnecessary for daily work of the system. 
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After we have uninstalled all the software that must be uninstalled and the addition of the 
necessary RPM packages to be able to compile programs we must verify the list of all installed 


RPM programs again, but this time with the following command: 


e To verify the list of all installed RPM package on your system, use the command: 
[root@deep /]# rpm -qa > installed_rpm 


The “—qa” option will query all installed RPM packages on your system and the special character 


“>” will redirect the output to the file named installed_rpm. 


The content of the installed_rpm file must look exactly like this: 











filesystem-2.0.7-1 
glabe-2°.2:22=10 
bdflush-1.5-16 
cracklib-2.7-8 
db2-2.4.14-5 
gdbm-1.8.0-5 
libtermcap-2.0.8-26 
mailx-8.1.1-20 
mktemp-1.5-8 
bzap2—1)0..4=3 
libstdct++-2.96-81 
MAKEDEV-3.1.0-14 
ncurses—5.2-8 
cpio-2.4.2-20 
ed-0.2-19 
gawk-3.0.6-1 
grep-2.4.2-5 
less-—358-16 
net-tools-1.57-6 
popt-1.6.2-8 
psmisc-19-4 
rootfiles-7.0-4 
console-tools-19990829-34 
shadow-utils-—20000826-4 
slang-1.4.2-2 
sysklogd-1.4-7 
tar-1.13.19-4 
mount-2.10r—-5 
lilo-21.4.4-13 
tmpwatch-2.7.1-1 
utempter-0.5.2-4 
vim-minimal-6.0-0.27 
words-—2-16 
pam-0.74-22 
sh-utils-2.0-13 
SysVinit-2.78-15 
rpm-4.0.2-8 
initscripts—5.83-1 
devfsd-2.4.2-2 

















kernel-2.4.2-2 
vixie-cron-3.0.1-62 
glibc-common-2.2.2-10 
setup-2.4.7-1 
basesystem-7.0-2 
termcap-11.0.1-8 
chk¢ontigel. 2222-1 
db1-1.85-5 
db3=3.1..07S7 
e2fsprogs-1.19-4 
file-3.33-1 

GlIbH1: 2../9 =i 
losetup-2.10r-5 
mingetty—-0.9.4-16 
bash-2.04-21 
groff-1.16.1-7 
modutils-2.4.2-5 
info-4.0-20 

drt tuv ris -2.7-20 
fileutils—4.0.36-4 
findutils—4.1.6-2 
gettext-0.10.35-31 
gzip-1.3-12 
man-1.5h1-20 
logrotate-3.5.4-1 
procps-2.0.7-8 
pwdb-0.61.1-1 
readline-4.1-9 
sed-3.02-9 
dev-3.1.0-14 
newt-0.50.22-2 
slocate-2.5-5 
syslinux-1.52-1 
textutils-2.0.11-7 
crontabs-1.9-2 
vim-common-6.0-0.27 
which-2.12-1 
cracklib-dicts-2.7-8 
gpm-1.19.3-16 





passwd-0.64.1-4 
Ziab=1...1...3-22 
util-linux-2.10s-12 
binutils-2.10.91.0.2-3 
byacc-1. 9-18 
cpp-2.96-81 
ctags-4.0.3-1 
dev86-0.15.0-5 
kernel—-headers-2.4.2-2 
gcc-2. 96-81 

gcec-ct++-2. 96-81 
make-3.79.1-5 
perl-5.6.0-12 
bison-1.28-5 
cdecl-2.5-17 
cproto-—4.6-7 
flex-2.5.4a-13 
glibc-devel-2.2.2-10 
m4-1.4.1-4 
patch-2.5.4-9 
aspell-devel-0.32.6-2 
db3-devel-3.1.17-7 
freetype-devel-2.0.1-4 
gd-devel-1.8.3-7 
gdbm-devel 
libjpeg-devel-—6b-15 
libpng-devel-1.0.9-1 
libstdc++—devel-2 .96-81 
ncurses-—devel-5.2-8 
pam-devel-0.74-22 
pspell-devel-0.11.2-2 
zlib-devel-1.1.3-22 
gd-1.8.3-7 
freetype-2.0.1-4 
libjpeg-6b-15 
libpng-1.0.9-1 
libtool-libs-1.3.5-8 
pspell-0.11.2-2 
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NOTE: All texts in bold are compiler packages that we have added to be able to compile programs 
on the system. Remember that these packages can be uninstalled after complete compilation of 
all software safety and without problem. 





This second step is required to be sure we have not forgotten to remove some unnecessary RPM 
or to add some important packages that permit us to compile programs on the system. If the 
result looks the same as our installed_rpm file above, we are now ready to play with our new 
Linux server. 


In the above list, | assume that all sharp objects required for making compilation of programs and 
services on the system are installed. Of course they must be uninstalled and removed from the 
list if we don't want to use this server to compile programs and services but prefer to use RPM 
packages made on another system for all servers on our network. 


Update of the latest software 

Keep all software (especially network software) up to date with the latest versions. Check the 
errata pages for the Red Hat Linux distribution, available at 
http://www.redhat.com/apps/support/updates.html. The errata pages are perhaps the best 
resource for fixing 90% of the common problems with Red Hat Linux. In addition, security holes 
for which a solution exists are generally on the errata page 24 hours after Red Hat has been 
notified. You should always check there first. 


Step 1 

For all software packages described here and later in this book, | assume that you use another 
computer on your network to retrieve and download the required software. If this is not the case, | 
suggest you at least install the FTP client program that comes with your OS CD-ROM and install 
it, to be able to make remote connections and download files. 


Of course if for some obscure reasons the networking feature of your server doesn’t work at this 
stage, | recommend you to read the part of the book called "Networking Related Reference" and 
especially the chapter under it called "Networking - TCP/IP Network Management" for 
troubleshooting and more information on the subject. 


This secure Linux server installation requires that the software listed below be installed on your 
system to be able to download packages from the Internet. if you don’t use another computer on 
your network to retrieve and download programs. 


Y ftp, which provides the standard UNIX command-line FTP (File Transfer Protocol) client, 
must already be installed on your system to be able to download software on the Internet. 


> Toverify if ftp package is installed on your system, use the command: 
[root@deep /]# rpm -q ftp 
package ftp is not installed 


e To mount your CD-ROM drive before installing the require package, use the command: 
[root@deep /]# mount /dev/cdrom /mnt/cdrom/ 
mount: block device /dev/cdrom is write-protected, mounting read-only 


e To install the ftp package on your Linux system, use the following command: 
[root@deep /]# ed /mnt/cdrom/RedHat /RPMS/ 
[root@deep RPMS]# rpm —-Uvh ftp-version.i386.rpm 
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ftp HEE EE a EE EE EE EE EE EE HEE HE EE BE EE HH 


e To unmount your CD-ROM drive, use the following command: 
[root@deep RPMS]# ed /; umount /mnt/cdrom/ 


The following are based on information listed by Red Hat as of 2001/04/23. Please check 
regularly at http://www.redhat.com/ for the latest status. 


Errata: Bug, Fixes & Advisories are available from: 


Red Hat Updates Web Site: http://www.redhat.com/apps/support/updates.html 
Red Hat Updates FTP Site: 216.148.218.202, 63.240.14.64, 216.148.218.201, 


63.240.14.63, 216.148.218.192, 63.240.14.62 


Step 2 
Software that must be updated at this time for your Red Hat Linux Secure Server are: 


mount—2.11b-3.i386.rpm 








NOTE: You can also retrieve all present and future software RPM packages that will need to be 
updated directly from our OpenNA.com website at: www.openna.com/downloads/downloads.php 
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Part Il Security and Optimization Related Reference 
In this Part 


Security and Optimization - General System Security 

Security and Optimization - Pluggable Authentication Modules 
Security and Optimization - General System Optimization 
Security and Optimization - Kernel Security & Optimization 


Now that we have installed a base system, the next four chapters will concentrate on how to 
tighten the security of our configured system, optimize our system to perform at its peak and 
upgrade our machine for the latest kernel. 


Please note that when we talk of tightening the security we are referring to the features available 


within the base installed system and not to any additional software. We will talk about them later 
in this book. 
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3 Security and Optimization - General System 
Security 


In this Chapter 


BIOS 

Unplug your server from the network 

Security as a policy 

Choose a right password 

The root account 

Set login time out for the root account 

The /etc/exports file 

The single-user login mode of Linux 

The LILO and /etc/1lilo.conf file 

Disabling ctr1-Alt-—Delete keyboard shutdown command 
The /etc/services file 

The /etc/securetty file 

Special accounts 

Control mounting a file system 

Mounting the /boot/ directory of Linux as read-only 
Conceal binary RPM 

Shell logging 

Physical hard copies of all-important logs 
Tighten scripts under /etc/rce.d/init.d/ 
The /etc/re.d/rce.1local file 

Bits from root-owned programs 

Finding all files with the SUID/SGID bit enabled 
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Don’t let internal machines tell the server what their MAC address is 


Unusual or hidden files 

Finding Group and World Writable files and directories 
Unowned files 

Finding .rhosts files 

System is compromised! 
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Linux General System Security 


Abstract 

A secure Linux server depends on how the administrator makes it. Once we have eliminated the 
potential security risk by removing unneeded services, we can start to secure our existing 
services and software on our server. Within a few hours of installing and configuring your system, 
you can prevent many attacks before they occur. In this chapter we will discuss some of the more 
general, basic techniques used to secure your system. The following is a list of features that can 
be used to help prevent attacks from external and internal sources. 


BIOS 

It is recommended to disallow booting from floppy drives and set passwords on BIOS features. 
You can check your BIOS manual or look at it thoroughly the next time you boot up your system 
to find out how to do this. Disabling the ability to boot from floppy drives and being able to seta 
password to access the BIOS features will improve the security of your system. 


This will block unauthorized people from trying to boot your Linux system with a special boot disk 
and will protect you from people trying to change BIOS features like allowing boot from floppy 
drive or booting the server without prompt password. It is important to note that there is a 
possibility to bypass this security measure if someone has a physical access to your server since 
they can open the computer and unplug the BIOS battery. This will reset all features to their initial 
values. 


Unplug your server from the network 
It is not wise to apply security changes in your newly installed Linux server if you are online. So it 
is preferable to deactivate all network interfaces in the system before applying security changes. 


e To stop specific network devices manually on your system, use the following command: 
root@deep / ifdown eth0O 


e To start specific network devices manually on your system, use the following command: 
root@deep / ifup etho 


e To shut down all network interfaces, use the following command: 
root@deep / /etc/re.d/init.d/network stop 

Shutting down interface eth0 [OK] 

Disabling Ipv4 packet forwarding [OK] 














e To start all network interfaces, use the following command: 
[root@deep /]# /ete/re.d/init.d/network start 


Setting network parameters [OK] 
Bringing up interface lo [OK] 
Bringing up interface eth0o [OK] 


Security as a policy 

It is important to point out that you cannot implement security if you have not decided what needs 
to be protected, and from whom. You need a security policy--a list of what you consider allowable 
and what you do not consider allowable upon which to base any decisions regarding security. 
The policy should also determine your response to security violations. What you should consider 
when compiling a security policy will depend entirely on your definition of security. The following 
questions should provide some general guidelines: 
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¥ How do you classify confidential or sensitive information? 

v¥ Does the system contain confidential or sensitive information? 

v¥ Exactly whom do you want to guard against? 

¥ Do remote users really need access to your system? 

¥ Do passwords or encryption provide enough protection? 

¥ Do you need access to the Internet? 

v How much access do you want to allow to your system from the Internet? 


¥ What action will you take if you discover a breach in your security? 


This list is short, and your policy will probably encompass a lot more before it is completed. Any 
security policy must be based on some degree of paranoia; deciding how much you trust people, 
both inside and outside your organization. The policy must, however, provide a balance between 
allowing your users reasonable access to the information they require to do their jobs and totally 
disallowing access to your information. The point where this line is drawn will determine your 


policy. 


Choose a right password 

The starting point of our Linux General Security tour is the password. Many people keep their 
valuable information and files on a computer, and the only thing preventing others from seeing it 
is the eight-character string called a password. An unbreakable password, contrary to popular 
belief, does not exist. Given time and resources all passwords can be guessed either by social 
engineering or by brute force. 


Social engineering of server passwords and other access methods are still the easiest and most 
popular way to gain access to accounts and servers. Often, something as simple as acting as a 
superior or executive in a company and yelling at the right person at the right time of the day 
yields terrific results. 


Running a password cracker on a weekly basis on your system is a good idea. This helps to find 
and replace passwords that are easily guessed or weak. Also, a password checking mechanism 
should be present to reject a weak password when choosing an initial password or changing an 
old one. Character strings that are plain dictionary words, or are all in the same case, or do not 
contain numbers or special characters should not be accepted as a new password. 

We recommend the following rules to make passwords effective: 


v¥ They should be at least six characters in length, preferably eight characters including at 
least one numeral or special character. 


v They must not be trivial; a trivial password is one that is easy to guess and is usually 
based on the user’s name, family, occupation or some other personal characteristic. 


v¥_ They should have an aging period, requiring a new password to be chosen within a 
specific time frame. 


v They should be revoked and reset after a limited number of concurrent incorrect retries. 
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The root account 

The "root" account is the most privileged account on a Unix system. The "root" account has no 
security restrictions imposed upon it. This means the system assumes you know what you are 
doing, and will do exactly what you request -- no questions asked. Therefore it is easy, with a 
mistyped command, to wipe out crucial system files. When using this account it is important to be 
as careful as possible. For security reasons, never log in on your server as "root" unless it is 
absolutely an instance that necessitates root access. Also, if you are not on your server, never 
sign in and leave yourself on as "root"--this is VERY, VERY. VERY BAD. 


Set login time out for the root account 

Despite the notice to never, if they are not on the server, sign in as “root” and leave it unattended, 
administrators still stay on as “root” or forget to logout after finishing their work and leave their 
terminals unattended. 


The answer to solve this problem is to make the bash shell automatically logout after not being 
used for a period of time. To do that, you must set the special variable of Linux named “TMOUT” to 
the time in seconds of no input before logout. 


e Edit your profile file (vi /etc/profile) and add the following line somewhere after 
the line that read “HISTS1IZE=" on this file: 





TMOUT=7200 


The value we enter for the variable “TMOUT=” is in seconds and represents 2 hours (60 * 60 = 
3600 * 2 = 7200 seconds). It is important to note that if you decide to put the above line in your 
/etc/profile file, then the automatic logout after two hours of inactivity will apply for all users 
on the system. So, instead, if your prefer to control which users will be automatically logged out 
and which ones are not, you can set this variable in their individual .bashrc file. 


After this parameter has been set on your system, you must logout and login again (as root) for 
the change to take effect. 


The /etc/exports file 

If you are exporting file systems using the NFS service, be sure to configure the /etc/exports 
file with the most restrictive access possible. This means not using wildcards, not allowing root 
write access, and mounting read-only wherever possible. 


Step 1 
e =©Edit the exports file (vi /etc/exports) and add: 


As an example: 
/dir/to/export host1.mydomain.com(ro, root_squash) 
/dir/to/export host2.mydomain.com(ro, root_squash) 


Where /dir/to/export is the directory you want to export, host 1.mydomain.comis the 


machine allowed to log in this directory, the <ro> option mean mounting read-only and the 
<root_squash> option for not allowing root write access in this directory. 
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Step 2 


e For this change to take effect you will need to run this command on your terminal: 
[root@deep]# /usr/sbin/exportfs -a 








WARNING: Please be aware that having an NFS service available on your system can be a 
security risk. Personally, | don't recommend using it. If you are follow our installation, the NFS 
service is not installed in your system. 





The single-user login mode of Linux 

Linux has a special command (linux single) also known as ‘single-user mode’, which can be 
entered at the boot prompt during startup of the system. The single-user mode is generally used 
for system maintenance. You can boot Linux in single-user mode by typing at the LILO boot 
prompt the following command: 


LILO: linux single 


This will place the system in Run level 1 where you'll be logged in as the super-user 'root', and 
where you won't even have to type in a password! 


Step 1 
Requiring no password to boot into root under single-user mode is a bad idea! You can fix this by 
editing the inittab file (vi /etc/inittab) and change the following line: 


id:3:initdefault: 
To read: 


id:3:initdefault: 
~~:S:wait:/sbin/sulogin 


The addition of the above line will require to enter the root password before continuing to boot 
into single-user mode by making init (8) run the program sulogin (8) before dropping 
the machine into a root shell for maintenance. 


Step 2 
e Now, for the change to take effect type in the following at a prompt: 


[root@deep /]# /sbin/init q 


The LILO and /etc/1lilo.conf file 
LILO is the most commonly used boot loader for Linux. It manages the boot process and can 


boot Linux kernel images from floppy disks, hard disks or can even act as a "boot manager" for 
other operating systems. 


LILO is very important in the Linux system and for this reason, we must protect it the best we 
can. The most important configuration file of LILO is the Lilo.conf file, and it resides under the 
/etc directory. It is with this file that we can configure and improve the security of our LILO 
program and Linux system. Following are three important options that will improve the security of 
our valuable LILO program. 
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e §©Adding: timeout=00 
This option controls how long (in seconds) LILO waits for user input before booting to the default 
selection. One of the requirements of C2 security is that this interval be set to 0 unless the system 
dual boots something else. 


e Adding: restricted 
This option asks for a password only, if parameters are specified on the command line (e.g. 
linux single). The option “restricted” can only be used together with the “password” 
option. Make sure you use this one on each additional image you may have. 


e Adding: password=<password> 
This option asks the user for a password when trying to load the image. Actually the effect of 
using the password parameter in /etc/1lilo.conf will protect the Linux image from booting. 
This means, it doesn't matter if you load Linux in single mode or if you just do a normal boot. It 
will always ask you for the password. 


Now this can have a very bad effect, namely you are not able to reboot Linux remotely any more 
since it won't come up until you type in the root password at the console. It is for this reason that 
adding “restricted” with “password” is very important since the option "restricted" relaxes 
the password protection and a password is required only if parameters are specified at the LILO 
prompt, (e.g. single). 


Passwords are always case-sensitive, also make sure the /etc/lilo.conf file is no longer 
world readable, or any user will be able to read the password. Here is an example of our 
protected LILO with the lilo.conf file. 


Step 1 
e Edit the lilo.conf file (vi /etc/lilo.conf) and add or change the three options 
above as show: 


boot=/dev/sda 

map=/boot/map 

install=/boot/boot.b 

prompt € remove this line if you don’t want to pass options at the LILO prompt. 
timeout=00 € change this line to 00 to disable the LILO prompt. 

linear 

message=/boot/message € remove this line if you don’t want the welcome screem. 
default=linux 

restricted € add this line to relaxes the password protection. 
password=<password> € add this line and put your password. 


image=/boot/vmlinuz-2.4.2-2 
label=linux 
initrd=/boot/initrd-2.4.2-2.img 
read-only 
root=/dev/sda6 


Step 2 
Because the configuration file /etc/1lilo.conf now contains unencrypted passwords, it should 
only be readable for the super-user “root”. 


e To make the /etc/lilo.conf file readable only by the super-user “root”, use the 


following command: 
[root@deep /]# chmod 600 /etc/lilo.conf (will be no longer world readable). 
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Step 3 
Now we must update our configuration file /etc/lilo.conf for the change to take effect. 


e Toupdate the /etc/lilo.conf file, use the following command: 
[root@deep /]# /sbin/lilo -v 
LILO version 21.4-4, copyright © 1992-1998 Wernerr Almesberger 
‘lba32’ extentions copyright © 1999,2000 John Coffman 





Reading boot sector from /dev/sda 

had : ATAPI 32X CD-ROM drive, 128kB Cache 
Merging with /boot/boot.b 

Mapping message file /boot/message 

Boot image : /boot/vmlinuz-2.2.16-22 

Mapping RAM disk /boot/initrd-2.2.16-22.img 
Added linux * 

/boot/boot.0800 exists - no backup copy made. 
Writing boot sector. 


Step 4 
One more security measure you can take to secure the 1ilo.conf file is to set it immutable, 
using the chattr command. 


e To set the file immutable simply, use the following command: 
[root@deep /]# chattr +i /etc/lilo.conf 


And this will prevent any changes (accidental or otherwise) to the lilo.conf file. If you wish to 
modify the 1ilo.conf file you will need to unset the immutable flag: 


e To unset the immutable flag, use the following command: 
[root@deep /]# chattr -i /etc/lilo.conf 








WARNING: When you use the password option, then LILO will always ask you for the password, 
regardless if you pass options at the LILO prompt (e.g. single) or not EXCEPT when you set 
the "restricted" option in /etc/lilo.conf. 


The option "restricted" relaxes the password protection and a password is required only if 
parameters are specified at the LILO prompt, (e.g. single). 


If you didn't had this option set "restricted", Linux will always ask you for the password and 
you will not be able to remotely reboot your system, therefore don’t forget to add the option 
"restricted’ with the option "password" into the /etc/lilo.conf file. 








Disabling Ctrl-Alt-—Delete keyboard shutdown command 

Commenting out the line (with a “#”) listed below in your /etc/inittab file will disable the 
possibility of using the Cont rol-Alt-—Delete command to shutdown your computer. This is 
pretty important if you don't have the best physical security to the machine. 
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Step 1 
e To do this, edit the inittab file (vi /etc/inittab) and change/comment the line: 


ca::ctrlaltdel:/sbin/shutdown -t3 -r now 
To read: 


#ca: :ctrlaltdel:/sbin/shutdown -t3 -r now 


Step 2 
e Now, for the change to take effect type in the following at a prompt: 


[root@deep /]# /sbin/init q 


The /etc/services file 

The port numbers on which certain "standard" services are offered are defined in the RFC 1700 
"Assigned Numbers". The /etc/services file enables server and client programs to convert 
service names to these numbers (ports). The list is kept on each host and it is stored in the file 
/etc/services. Only the "root" user is allowed to make modifications to this file. It is rare to 
edit the /etc/services file. since it already contains the more common service names / port 
numbers. To improve security, we can set the immutable flag on this file to prevent unauthorized 
deletion or modification. 


e Toimmunize the /etc/services file, use the following command: 
[root@deep /]# chattr +i /etc/services 


The /etc/securetty file 

The /etc/securetty file allows you to specify which TTY and vc (virtual console) devices the 
“root” user is allowed to login on. The /etc/securetty file is read by the login program (usually 
/bin/login). Its format is a list of the tty and ve devices names allowed, and for all others 
that are commented out or do not appear in this file, root login is disallowed. 


Disable any tty and ve devices that you do not need by commenting them out (# at the 
beginning of the line) or by removing them. 


e Edit the securetty file (vi /etc/securetty) and comment out or remove the 
following lines: 


ve/1 ttyl 

#vc/2 #tty2 
#vc/3 #tty3 
#vc/4 #tty4 
#vc/5 #tty5 
#vc/6 #tty6 
#vc/7 #tty7 
#vc/8 #ttys 
#vc/9 #tty9 
#vc/10 #tty10 
#vc/11 #tty11 


Which means root is allowed to login on only tty1 and ve/1. This is my recommendation, 
allowing “root” to log in on only one tty or vc device and use the su command to switch to “root” 
if you need more devices to log in as “root”. 
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Special accounts 

It is important to DISABLE ALL default vendor accounts that you don’t use on your system 
(some accounts exist by default even if you have not installed the related services on your 
server). This should be checked after each upgrade or new software installation. Linux provides 
these accounts for various system activities, which you may not need if the services are not 
installed on your server. If you do not need the accounts, remove them. The more accounts you 
have, the easier it is to access your system. 


We assume that you are using the Shadow password suite on your Linux system. If you are not, 
you should consider doing so, as it helps to tighten up security somewhat. This is already set if 
you’ve followed our Linux installation procedure and selected, under the “Authentication 
Configuration”, the option to “Enable Shadow Passwords’ (see the chapter related to the 
“Installation of your Linux Server” for more information). 


e To delete user on your system, use the following command: 
[root@deep /]# userdel username 


e To delete group on your system, use the following command: 
[root@deep /]# groupdel username 


Step 1 


First we will remove all default vendor accounts into the /etc/passwd file that are unnecessary 
for the operation of the secure server configuration that we use in this book. 


e Type the following commands to delete all default users accounts listed below: 
adm 














root@deep / userdel 
root@deep / userdel lp 
root@deep / userdel shutdown 
root@deep / userdel halt 
root@deep / userdel news 
root@deep / userdel mail 
root@deep / userdel uucp 
root@deep / userdel operator 
root@deep / userdel games 
root@deep / userdel gopher 
root@deep / userdel ftp 








WARNING: By default, the userdel command will not delete a user’s home directory. If you want 
the home directories of accounts to be deleted too, then add the —-r option to the userdel 
command. Finally, the —r option must be used only when you have added a new user to the 
server and want to remove them. It doesn’t need to be used for the removal of the above default 
users accounts. The user account called “mail” must be removed from the system only if you 
don’t use Sendmail as your default Mail Server with mailx package. This user is related to 
mailx and not Sendmail. 





Once the above list of users has been deleted from your Linux system, the /etc/passwd file 
will look like this: 


root:x:0:0:root:/root:/bin/bash 
bins xii: ibint/birns 
daemon:x:2:2:daemon:/sbin: 
synce:x:5:0:sync:/sbin:/bin/sync 
nobody:x:99:99:Nobody:/: 
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Step 2 
After that we have removed all the unnecessary default vendor accounts into the /etc/passwd 
file from our system, we will remove all default vendor accounts into the /etc/group file. 


e Type the following commands to delete all default usersgroups accounts listed below: 


[root@deep /]# groupdel adm 
[root@deep /]# groupdel lp 
[root@deep /]# groupdel news 
[root@deep /]# groupdel mail 
[root@deep /]# groupdel uucp 
[root@deep /]# groupdel games 
[root@deep /]# groupdel dip 








NOTE: The group account called “mail” must be removed from the system only if you don’t use 
the mailx program for “mail”. This is probably not what you want except if you use qmail. 





Once the above list of group users has been deleted from your Linux system the /etc/group 
file will like this: 


root:x:0:root 
bin:x:1l1:root,bin, daemon 
daemon: x:2:root,bin, daemon 
sys:x:3:root,bin 
Piysx:ss 

disk:x:6:root 

mem:x:8: 

kmem:x:9: 

wheel: x:10:root 
man:x:15: 

nobody:x:99: 
users:x:100: 
floppy:x:19: 
slocate:x:21: 
utmp:x:22: 


Step 3 
Finally it is time to add the necessary and allowed users into the system: 


e To add anew user on your system, use the following command: 
root@deep / useradd username 


For example: 
root@deep / useradd admin 


e To add or change password for user on your system, use the following command: 
root@deep / passwd username 


For example: 
root@deep / passwd admin 














The output should look something like this: 

Changing password for user admin 

New UNIX password: 

Retype new UNIX password: 

passwd: all authentication tokens updated successfully 
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Step 4 

The immutable bit can be used to prevent accidentally deleting or overwriting a file that must be 
protected. It also prevents someone from creating a symbolic link to this file, which has been the 
source of attacks involving the deletion of /etc/passwd, /etc/shadow, /etc/group or 
/etc/gshadow files. 


e To set the immutable bit on the passwords and groups files, use the following commands: 
[root@deep /]# chattr +i /etc/passwd 
[root@deep /]# chattr +i /etc/shadow 
[root@deep /]# chattr +i /etc/group 
[root@deep /]# chattr +i /etc/gshadow 








WARNING: In the future, if you intend to add or delete users, passwords, usergroups, or group files, 
you must unset the immutable bit on all those files or you will not be able to make and update 
your changes. Also if you intend to install an RPM program that will automatically add a new user 
to the different immunized passwd and group files, then you will receive an error message 
during the install if you have not unset the immutable bit from those files. 





e To unset the immutable bit on the passwords and groups files, use the commands: 
[root@deep /]# chattr -i /etc/passwd 
[root@deep /]# chattr -i /etc/shadow 
[root@deep /]# chattr -i /etc/group 
[root@deep /]# chattr -i /etc/gshadow 


Control mounting a file system 

You can have more control on mounting file systems like /cache/, /home/ or /tmp/ partitions 
with some nifty options like noexec, nodev, and nosuid. This can be setup in the /etc/fstab 
text file. The fstab file contains descriptive information about the various file system mount 
options; each line addresses one file system. 


Information related to security options in the fstab text file are: 


¥ defaults Allow everything (quota, read-write, and suid) on this partition. 
¥  noquota Do not set users quotas on this partition. 

¥Y  nosuid Do not set SUID/SGID access on this partition. 

¥  nodev Do not set character or special devices access on this partition. 
¥ noexec Do not set execution of any binaries on this partition. 

¥ quota Allow users quotas on this partition. 

¥Y xo Allow read-only on this partition. 

Y orw Allow read-write on this partition. 

Y suid Allow SUID/SGID access on this partition. 








NOTE: For more information on options that you can set in this file (fstab), see the man pages 
about mount (8). 
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Step 1 
e Edit the fstab file (vi /etc/fstab) and change it depending on your needs. 


For example change: 





























AABEL=/cache /cache ext2 defaults 12 

AABEL=/home /home ext2 defaults 12 

AABEL=/tmp /tmp ext2 defaults 2 

To read: 

JAABEL=/cache /cache ext2 defaults, nodev 12 
AABEL=/home /home ext2 defaults,nosuid TD 
ABEL=/tmp /tmp ext2 defaults,nosuid, noexec 12 














Meaning, <nosuid>, do not allow set-user-identifier or set-group-identifier bits to take effect, 
<nodev>, do not interpret character or block special devices on this file system partition, and 
<noexec>, do not allow execution of any binaries on the mounted file system. 


Step 2 
Once you have made the necessary adjustments to the /etc/fstab file, it is time to inform the 
Linux system about the modifications. 


e This can be accomplished with the following commands: 
[root@deep /]# mount /cache -oremount 
[root@deep /]# mount /home -oremount 
[root@deep /]# mount /tmp -oremount 


Each file system that has been modified must be remounted with the command show above. In 
our example we have modified the /cache, /home, and /tmp file system and it is for this reason 
that we remount these files systems with the above commands. 


e You can verify if the modifications have been correctly applied to the Linux system with 
the following command: 
[root@deep /]# cat /proc/mounts 











/dev/root /  ext2 rw 0 0 

/proc/proc proc rw 0 0 

/dev/sdal /boot ext2 rw 0 0 
/dev/sdal0 /cache ext2 rw,nodev 0 0 
/dev/sda9 /chroot ext2 rw 0 0 
/dev/sda8 /home ext2 rw,nosuid 0 0 
/dev/sdal13 /tmp ext2 rw,noexec,nosuid 0 0 
/dev/sda7 /usr ext2 rw 0 0 
/dev/sdall /var ext2 rw 0 0 
/dev/sdal2 /var/lib ext2 rw 0 0 

none /dev/pts devpts rw 0 0 


This command will show you all the files systems on your Linux server with parameters applied to 
them. 
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Mounting the /boot directory of Linux as read-only 

The /boot directory is where the Linux kernel and some of its related files are kept. On many 
Linux variants this directory resides in its own partition and the default parameter is to mount it as 
read-write. We can change this parameter to make it read-only for better security. 


Mounting the /boot partition as read-only eliminates possible problems that someone may try to 
change or modify vital files inside it. To mount the /boot file system of Linux as read-only, follow 
the simple steps below. 





Step 1 
Z Edit the fstab file (vi /etc/fstab) and change the line: 
LABEL=/boot /boot ext2 defaults Ie 2 
To read: 
LABEL=/boot /boot ext2 defaults,ro 12 





We add the “ro” option to this line to specify to mount this partition as read-only. 
Step 2 
Make the Linux system aware about the modification you have made to the /etc/fstab file. 


e This can be accomplished with the following command: 
[root@deep /]# mount /boot -oremount 


e Then test your results with the following command: 
[root@deep /]# cat /proc/mounts 











/dev/root / ext2 rw 0 0 

/proc/proc proc rw 0 0 

/dev/sdal /boot ext2 ro 0 0 
/dev/sdal0 /cache ext2 rw,nodev 0 0 
/dev/sda9 /chroot ext2 rw 0 0 
/dev/sda8 /home ext2 rw,nosuid 0 0 
/dev/sdal3 /tmp ext2 rw,noexec,nosuid 0 0 
/dev/sda7 /usr ext2 rw 0 0 
/dev/sdall /var ext2 rw 0 0 
/dev/sdal2 /var/lib ext2 rw 0 0 

none /dev/pts devpts rw 0 0 


If you see something like: /dev/sdal /boot ext2 ro 0 0, congratulations! 








WARNING: If in the future you want to upgrade your Linux kernel, it is important to reset the 
modification you have made to the /boot directory to its initial state (read-write) or you will not be 
able to install the new kernel because the /boot partition is set as read-only. All you have to do if 
you want to put the /boot partition to its original state is to edit the /etc/fstab file again and 
remove the “ro” option then remount the /boot file system with the “mount -oremount” 
command again. 
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Conceal binary RPM 

Once you have installed all the software that you need on your Linux server with the RPM 
command, it’s a good idea to move it to a safe place like a floppy disk or other safe place of your 
choice. With this method if someone accesses your server and has the intention to install nasty 
software with the RPM command, he wouldn't be able to. Of course, if in the future you want to 
install or upgrade new software via RPM, all you have to do is to replace the RPM binary to its 
original directory again. 


e Tomove the RPM binary on the floppy disk, use the command: 
[root@deep /]# mount /dev/f£d0H1440 /mnt/floppy/ 
[root@deep /]# mv /bin/rpm /mnt/floppy/ 

[root@deep /]# umount /mnt/floppy/ 








WARNING: Never uninstall the RPM program completely from your system or you will be unable to 
reinstall it again later, since to install RPM or other software you need to have RPM commands 
available. 





One more thing you can do is change the default permission of the “rpm” command from 755 to 
700. With this modification, non-root users can’t use the “rpm” program to query, install etc; in 
case you forget to move it to a safe place after installation of new programs. 


e Tochange the default permission of /bin/rpm, use the command: 
[root@deep /]# chmod 700 /bin/rpm 


Shell logging 

To make it easy for you to repeat long commands, the bash shell stores up to 500 old commands 
inthe ~/.bash_history file (where “~/” is your home directory). Each user that has an account 
on the system will have this file .bash_history in their home directory. Reducing the number 
of old commands the .bash_history files can hold may protect users on the server who enter 
by mistake their password on the screen in plain text and have their password stored for a long 
time inthe .bash_history file. 


Step 1 

The HISTSTZE line in the /etc/profile file determine the size of old commands the 
-bash_history file for all users on your system can hold. For all accounts | would highly 
recommend setting the HISTSIZE in /etc/profile file to a low value such as 10. 








e Edit the profile file (vi /etc/profile) and change the line: 


HISTSIZE=1000 





To read: 


HISTSIZE=10 
Which means, the .bash_history file in each users home directory can store 10 old 
commands and no more. Now, if a cracker tries to see the ~/ .bash_history file of users on 


your server to find some password typed by mistake in plain text, he or she has less chance to 
find one. 
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Step 2 

The administrator should also add into the /etc/profile file the “HISTFILESIZE=0” line, so 
that each time a user logs out, its .bash_history file will be deleted so crackers will not be 
able to use .bash_history file of users who are not presently logged into the system. 














e Edit the profile file (vi /etc/profile) and add the following parameter below the 
“HISTSIZE=" line: 





HISTFILESIZE=0 


After this parameter has been set on your system, you must logout and login again (as root) for 
the change to take effect. 


Physical hard copies of all-important logs 

One of the most important security considerations is the integrity of the different log files under 
the /var/log/ directory on your server. If despite each of the security functions put in place on 
our server, a cracker can gain access to it, our last defense is the log file system, so it is very 
important to consider a method of being sure of the integrity of our log files. 


If you have a printer installed on your server, or on a machine on your network, a good idea 
would be to have actual physical hard copies of all-important logs. This can be easily 
accomplished by using a continuous feed printer and having the syslog program sending all logs 
you seem important out to /dev/1p0 (the printer device). Cracker can change the files, 
programs, etc on your server, but can do nothing when you have a printer that prints a real paper 
copy of all of your important logs. 


As an example: 

For logging of all telnet, mail, boot messages and ssh connections from your server to the 
printer attached to THIS server, you would want to add the following line to the 
/etc/syslog.conf file: 


Step 1 
e = Edit the syslog.conf file (vi /etc/syslog.conf) and add at the end of this file the 
following line: 


authpriv.*;mail.*;local7.*;auth.*;daemon.info /dev/1p0 


Step 2 
e Now restart your syslog daemon for the change to take effect: 
[root@deep /]# /etc/re.d/init.d/syslog restart 
Shutting down kernel logger: [OK] 


Shutting down system logger: [OK] 
Starting system logger: [OK] 
Starting kernel logger: [OK] 


As an example: 

For logging of all telnet, mail, boot messages and ssh connections from your server to the 
printer attached to a REMOTE server in your local network, then you would want to add the 
following line to /etc/syslog.conf file on the REMOTE server. 
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Step 1 
e Edit the syslog.conf file (vi /etc/syslog.conf) on the REMOTE server (for 
example: printer.openna.com) and add at the end of this file the following line: 


authpriv.*;mail.*;local7.*;auth.*;daemon.info /dev/1p0 


If you don’t have a printer in your network, you can also copy all the log files to another machine; 
simply omit the above first step of adding /dev/1p0 to your syslog. conf file on remote and go 
directly to the “-r’ option second step on remote. Using the feature of copying all the log files to 
another machine will give you the possibility to control all syslog messages on one host and will 
tear down administration needs. 


Step 2 

Since the default configuration of the syslog daemon is to not receive any messages from the 
network, we must enable on the REMOTE server the facility to receive messages from the 
network. To enable the facility to receive messages from the network on the REMOTE server, 
add the following option “-r” to your syslog daemon script file (only on the REMOTE host): 


e Edit the syslog daemon (vi +24 /etc/rce.d/init.d/syslog) and change: 
daemon syslogd -m 0 


To read: 


daemon syslogd -r -m 0 


Step 3 
e Restart your syslog daemon on the remote host for the change to take effect: 
[root@mail /]# /etc/re.d/init.d/syslog restart 
Shutting down kernel logger: [OK] 
Shutting down system logger: [OK] 
Starting system logger: [OK] 
Starting kernel logger: [OK] 


Step 4 
e If we have a firewall on the REMOTE server (you are supposed to have one), we must 
add or verify the existence of the following lines: 


# SYSLOG server (514) 
# —- a = 





# Provides full remote logging. Using this feature you're able to 
# control all syslog messages on one host. 

















iptables -A INPUT -i SEXTERNAL_INTERFACE -p udp \ 
-s $SYSLOG_CLIENT --source-port SUNPRIVPORTS \ 
-d SIPADDR --destination-port 514 -j ACCEP 












































Where EXTERNAL_INTERFACE="eth0" # Internet or Internal connected interface 
Where IPADDR="208.164.186.10" # Your IP address 
Where SYSLOG_CLIENT="208.164.168.0/24" # Your syslog clients IP ranges 
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Step 5 


e Now restart your firewall on the remote host for the change to take effect: 
[root@printer /]# /etc/re.d/init.d/iptables restart 
Shutting Firewalling Services: [OK] 

Starting Firewalling Services: [OK] 


This firewall rule will allow incoming UDP packets on port 514 (syslog port) onthe remote 
server that comes from our internal client to be accepted. For more information on Firewalls see 
the chapter relating to network firewalls. 


Step 6 
e Edit the syslog.conf file (vi /etc/syslog.conf) on the LOCAL server, and add at 
the end of this file the following line: 


authpriv.*;mail.*;local7.*;auth.*;daemon.info @printer 


Where “printer” is the hostname of the REMOTE server. Now if anyone ever hacks your 
machine and attempts to erase vital system logs, you still have a hard copy of everything. It 
should then be fairly simple to trace where they came from and deal with it accordingly. 


Step 7 
e Restart your syslog daemon on the LOCAL server for the change to take effect: 
[root@deep /]# /etc/re.d/init.d/syslog restart 
Shutting down kernel logger: [OK] 
Shutting down system logger: [OK] 
Starting system logger: [OK] 
Starting kernel logger: [OK] 


Step 8 
e Same as on the REMOTE host, we must add or verify the existence of the following lines 
in our firewall script file on the LOCAL host: 


# SYSLOG client (514) 























iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p udp \ 
-s SIPADDR --source-port 514 \ 
-d SSYSLOG_SERVER --destination-port SUNPRIVPORTS -—j ACCEPT 


















































Where EXTERNAL_INTERFACE="eth0" # Internet or Internal connected interface 
Where IPADDR="208.164.186.1" # Your IP address 
Where SYSLOG_SERVER="printer.openna.com" # Your Printer Server in our example 


Step 9 
e Finally restart your firewall on the LOCAL host for the change to take effect: 
[root@deep /]# /etc/re.d/init.d/iptables restart 
Shutting Firewalling Services: [OK] 
Starting Firewalling Services: [OK] 


This firewall rule will allow outgoing UDP packets on unprivileged ports on the local server 
destined to the remote syslog server to be accepted. Repeat step 6 through steps 9 for each 
additional server you may have and want all-important logs to be logged on remote printer server. 
For more information on Firewalls see the chapter relating to network firewalls. 
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WARNING: Never use your Gateway Server as a host to control all syslog messages; this is a 
very bad idea. More options and strategies exist with the sysklogd program, see the man pages 
about sysklogd (8), syslog(2), and syslog.conf (5) for more information. 





Tighten scripts under /etc/rce.d/init.d/ 


Fix the permissions of the script files that are responsible for starting and stopping all your normal 
processes that need to run at boot time. 


e To fix the permissions of those files, use the following command: 
[root@deep /]# chmod -R 700 /etc/init.d/* 


Which means just the super-user “root” is allowed to Read, Write, and Execute scripts files on this 
directory. | don’t think regular users need to know what’s inside those script files. 








WARNING: If you install a new program or update a program that use the init system V script 
located under /etc/rc.d/init.d/ directory, don’t forget to change or verify the permission of 
this script file again. 





The /etc/rc.local file 


By default, when you login to a Linux machine, it tells you the Linux distribution name, version, 
kernel version, and the name of the server. This is giving away too much info. We'd rather just 
prompt users with a "Login:" prompt. 


Step 1 
e Todo this, edit the re.local file (vi /etc/rc.local) and place "#" in front of the 
following lines as shown: 


# This will overwrite /etc/issue at every boot. So, make any changes you 


# want to make to /etc/issue here or you will lose them when you reboot. 
#echo "" > /etc/issue 


#echo "SR" >> /etc/issue 

#echo "Kernel $(uname -r) on $a $(uname -m)" >> /etc/issue 
# 

#cp -f /etc/issue /etc/issue.net 

#echo >> /etc/issue 


Step 2 


e Then, remove the following files: issue.net and issue under /etc/ directory: 
[root@deep /]# rm -£ /etc/issue 
[root@deep /]# rm -£ /etc/issue.net 
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WARNING: The /etc/issue.net file is the login banner that users will see when they make a 
networked (i.e. telnet, SSH) connection to your machine. You will find it in the /etc directory, 
along with a similar file called issue, which is the login banner that gets displayed to local users. 


It is simply a text file and can be customized to your own tastes, but be aware that as noted 
above, if you do change it or remove it like we do, you'll also need to modify the 
/etc/rc.d/rc.local shell script, which re-creates both the issue and issue.net files 
every time the system boots. 





Bits from root-owned programs 

A regular user will be able to run a program as root if it is set to SUID root. All programs and files 
on your computer with the ’s’ bits appearing on its mode, have the SUID (—rwsr-xr-x) or SGID 
(-r-xr-sr-x) bit enabled. Because these programs grant special privileges to the user who is 
executing them, it is important to remove the 's' bits from root-owned programs that won't 
absolutely require such privilege. This can be accomplished by executing the command chmod 
a-s with the name(s) of the SUID/SGID files as its arguments. 


Such programs include, but aren't limited to: 


v Programs you never use. 
¥ Programs that you don't want any non-root users to run. 
v Programs you use occasionally, and don't mind having to su (1) to root to run. 


We've placed an asterisk (*) next to each program we personally might disable and consider to 
be not absolutely required for the duty work of the server. Remember that your system needs 
some suid root programs to work properly, so be careful. 


Step 1 


e =©To find all files with the ‘s’ bits from root-owned programs, use the command: 
[root@deep]# find / -type f \( -perm -04000 -o -perm -02000 \) -exec 1s - 


1{}\ 

*-rwsr-xr-x 1 root root 34220 Jul 18 14:13 /usr/bin/chage 
*-rwsr-xr-x 1 root root 36344 Jul 18 14:13 /usr/bin/gpasswd 
—-rwxr-Sr-x 1 root man 35196 Jul 12 03:50 /usr/bin/man 
SWiSH =x Sx 1 root root 13536 Jul 12 07:56 /usr/bin/passwd 
—rwxXr-sr-x 1 root mail 10932 Jul 12 10:03 /usr/bin/suidperl 
—rwsr-sr-x 1 root mail 63772 Jul 12 10:03 /usr/bin/sperl5.6.0 
—rwxr-Sr-x 1 root slocate 23964 Jul 23 17:48 /usr/bin/slocate 
*-r-xr-sr-x 1 root tty 6524 Jul 12 03:19 /usr/bin/wall 
*—-rws--x-x 1 root root 13184 Jul 21 19:15 /usr/bin/chfn 
*—-rws-—-x-x 1 root root 12640 Jul 21 19:15 /usr/bin/chsh 
*—-rwS-—-x-x 1 root root 5464 Jul 21 19:15 /usr/bin/newgrp 
*-rwxr-sr-x 1 root tty 8500 Jul 21 19:15 /usr/bin/write 
*-rwsr-xr-x 1 root root 6288 Jul 26 10:22 /usr/sbin/usernetctl 
—rwxr-Sr-x 1 root utmp 6584 Jul 13 00:46 /usr/sbin/utempter 
*-rwsr-xr-x 1 root root 20540 Jul 25 07:33 /bin/ping 
—rwsSr-xr-x 1 root root 14184 Jul 12 20:47 /bin/su 
*-rwsr-xr-x 1 root root 55356 Jul 12 05:01 /bin/mount 
*-rwsr-xr-x 1 root root 25404 Jul 12 05:01 /bin/umount 
*-rwxr-sr-x 1 root root 4116 Jul 26 10:22 /sbin/netreport 
—-Yr-SY-xr-x 1 root root 14732 Jul 26 14:06 /sbin/pwdb_chkpwd 
=-Sr=xr=x 1 root root 15340 Jul 26 14:06 /sbin/unix_chkpwd 
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Step 2 
e To disable the suid bits on selected programs above, type the following commands: 
root@deep / chmod a-s /usr/bin/chage 
root@deep / chmod a-s /usr/bin/gpasswd 
root@deep / chmod a-s /usr/bin/wall 
root@deep / chmod a-s /usr/bin/chfn 
root@deep / chmod a-s /usr/bin/chsh 
root@deep / chmod a-s /usr/bin/newgrp 
root@deep / chmod a-s /usr/bin/write 
root@deep / chmod a-s /usr/sbin/usernetctl 
root@deep / chmod a-s /bin/ping 
root@deep / chmod a-s /bin/mount 
root@deep / chmod a-s /bin/umount 
root@deep / chmod a-s /sbin/netreport 














If you want to Know what those programs do, type “man program-name” and read the man page. 


As an example: 


e To read the netreport man page, use the following command: 
[root@deep /]# man netreport 


Finding all files with the SUID/SGID bit enabled 

All SUID and SGID files that still exist on your system after we have removed those that won't 
absolutely require such privilege are a potential security risk, and should be monitored closely. 
Because these programs grant special privileges to the user who is executing them, it is 
necessary to ensure that insecure programs are not installed. 


A favorite trick of crackers is to exploit SUID "root" programs, and leave a SUID program as a 
backdoor to get in the next time. Find all SUID and SGID programs on your system, and keep 
track of what they are so that you are aware of any changes, which could indicate a potential 
intruder. 


e Use the following command to find all SUID/SGID programs on your system: 
[root@deep /]# find / -type f \( -perm -04000 -o -perm -02000 \) -exec 1s 
-1{}\; 


When you have, for example, the home directories of the users accounts mountable on all 
servers, then this find command will check the same home directory on every server (SUIDs on 
mounted file systems are not effective). If there are more mounted file systems on the servers, 
then this can take some time which actually a waste of time. 


e Inthis case, you can avoid this by executing the following command (see '- fstype’): 
[root@deep /]# find / \( ! -fstype nfs -o -prune \) -type f \( -perm - 
04000 -o -perm -02000 \) -exec 1s -1 {} \; 








NOTE: See later in this book the chapter related to “Securities Software - Monitoring Tools” for 
more information about the software named “sxid” that will do the job for you automatically each 
day and report the results via mail. 
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Don’t let internal machines tell the server what their MAc address is 

To avoid the risk that a user could easily change a computers IP address and appear as 
someone else to the firewall, you can force the ARP cache entries of Linux using the arp 
command utility. A special option can be used with the arp utility to avoid letting INTERNAL 
machines tell the server what their MAC (Media Access Control) address is and the IP address 
associated with it. ARP is a small utility, which manipulates the kernel’s ARP (Address Resolution 
Protocol) cache. Through all possible options associated with this utility, the primary one is 
clearing an address mapping entry and manually setting up one. In the hope to more secure our 
server from the INTERNAL, we will manually set MAC address (sometimes called Hardware 
addresses) of all know computers in our network statically by using static ARP entries. 


Step1 
e For each IP address of INTERNAL computers in your network, use the following 

command to know the MAC address associate with the IP address: 

[root@deep /]# ifconfig 

etho Link encap:Ethernet HWaddr 00:50:DA:C6:D3:FF 
inet addr:207.35.78.3 Bcast:207.35.78.32 Mask:255.255.255.224 
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 
RX packets:1887318 errors:0 dropped:0 overruns:1 frame:0 
TX packets:2709329 errors:0 dropped:0 overruns:0 carrier:1 
collisions:18685 txqueuelen:100 
Interrupt:10 Base address:0xb000 





ethl Link encap:Ethernet HWaddr 00:50:DA:C6:D3:09 
inet addr:192.168.1.11 Bcast:192.168.1.255 Mask:255.255.255.0 
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 
RX packets:182937 errors:0 dropped:0 overruns:0 frame:0 
TX packets:179612 errors:0 dropped:0 overruns:0 carrier:0 
collisions:7434 txqueuelen:100 
Interrupt:11 Base address:0xa800 








lo Link encap:Local Loopback 
inet addr:127.0.0.1 Mask:255.0.0.0 
UP LOOPBACK RUNNING MTU:3924 Metric:1 
RX packets:7465 errors:0 dropped:0 overruns:0 frame:0 
TX packets:7465 errors:0 dropped:0 overruns:0 carrier:0 
collisions:0 txqueuelen:0 


The MAC (Media Access Control) address will be the letters and numbers that come after 
“HWaddr’” (the Hardware Address). In the above example our MAC address are: 
00:50:DA:C6:D3:FF for the interface et ho and 00:50:DA:C6:D3:09 for the interface eth1. 


Step 2 
Once we know the MAC (Media Access Control) address associated with IP address, we can add 
them manually to the ARP entries of the Linux server. 


e To add manually MAC address to ARP entries, use the following command: 
[root@deep /]# arp -s 207.35.78.3 00:50:DA:C6:D3:FF 
[root@deep /]# arp -s 192.168.1.11 00:50:DA:C6:D3:09 


The “-s” option means to manually create an ARP address mapping entry for host hostname 


with hardware address set to hw_addr class. You can add you ARP commands to the 
/etc/rce.d/rc.local file if you want to keep your configuration if the system reboot. 


86 


General System Security |0 
CHAPTER|]3 


Step 3 


e To verify if the modifications have been added to the system, use the following command: 
[root@deep /]# arp 


Address Hwtype Hwaddress Flags Mask Iface 
207.35.78.3 ether 00:20:78:13:86:92 CM ethl 
192.168.1.11 ether 00:E0:18:90:1B:56 CM ethl 











WARNING: If you receive error message like: SIOCSARP: Invalid argument, it is because the 
MAC (Media Access Control) address you want to add is the one of your server. You must add 
only MAC address of INTERNAL computers in your private network. This hack doesn’t apply to 
external node on the Internet. 





You can now be reassured that someone will not change the system's IP address of an 
INTERNAL system and get through. If they do change the IP address, the server simply won't talk 
to them. With the new iptables tool of Linux, which replace the old ipchains utility for packet 
filter administration and firewall setup, MAC addresses can be filtered and configured in the 
firewall rules too. 


Unusual or hidden files 

It is important to look everywhere on the system for unusual or hidden files (files that start with a 
period and are normally not shown by the “1s” command), as these can be used to hide tools and 
information (password cracking programs, password files from other systems, etc.). A common 
technique on UNIX systems is to put a hidden directory or file in a user's account with an unusual 
name, something like’...'or'.. ' (dot dot space) or’. .*cG' (dot dot control-G). The find 
program can be used to look for hidden files. 


e To look for hidden files, use the following commands: 
[root@deep /]# find / -name ".. " -print -xdev 
[root@deep /]# find / -name ".*" -print -xdev | cat -v 








WARNING: Files with names such as '. xx' and '.mail' have been used (that is, files that might 
appear to be normal). 





Finding Group and World Writable files and directories 

Group and world writable files and directories, particularly system files (partions), can be a 
security hole if a cracker gains access to your system and modifies them. Additionally, world- 
writable directories are dangerous, since they allow a cracker to add or delete files as he or she 
wishes in these directories. In the normal course of operation, several files will be writable, 
including some from the /dev/, /var/catman/ directories, and all symbolic links on your 
system. 


e To locate all group & world-writable files on your system, use the command: 
[root@deep /]# find / -type £ \( -perm -2 -o -perm -20 \) -exec ls -lg {} \; 


e To locate all group & world-writable directories on your system, use the command: 
[root@deep /]# find / -type d \( -perm -2 -o -perm -20 \) -exec 1s -ldg {} \; 
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WARNING: A file and directory integrity checker like “Tripwire” software can be used regularly to 
scan, manage and find modified group or world writable files and directories easily. See later in 
this book the chapter related to “Securities Software - System Integrity” for more information 
about Tripwire 





Unowned files 

Don’t permit any unowned file. Unowned files may also be an indication that an intruder has 
accessed your system. If you find unowned file or directory on your system, verify its integrity, 
and if all looks fine, give it an owner name. Some time you may uninstall a program and get an 
unowned file or directory related to this software; in this case you can remove the file or directory 
safely. 


e To locate files on your system that do not have an owner, use the following command: 
[root@deep /]# find / -nouser -o -nogroup 








WARNING: It is important to note that files reported under /dev/ directory don’t count. 





Finding .rhosts files 

Finding all existing . rhosts files that could exist on your server should be a part of your regular 
system administration duties, as these files should not be permitted on your system. Remember 
that a cracker only needs one insecure account to potentially gain access to your entire network. 


Step 1 
e You can locate all existing . rhosts files on your system with the following command: 
[root@deep /]# find /home -name .rhosts 


If the result returns nothing, then you are safe and your system contain no . rhosts files in the 
/home/ directory at this time. If you are doing a new install of Linux (like we did), you should not 
have any .rhosts files on your system. 


Step 2 

You can also use a cron job to periodically check for, report the contents of, and delete 
SHOME/.rhosts files. Also, users should be made aware that you regularly perform this type of 
audit, as directed by your security policy. 





e Touse acron job to periodically check and report via mail all . rhosts files, create as 
“root” the find_rhosts_files script file under /etc/cron.daily/ directory (touch 
/etc/cron.daily/find_rhosts_files) and add the following lines in this script: 





#!/bin/sh 
/usr/bin/find /home -name .rhosts | (cat <<EOF 
This is an automated report of possible existent “.rhosts” files on the server 


deep.openna.com, generated by the find utility command. 


New detected “.rhosts” files under the “/home/” directory include: 
EOF 

cat 

) | /bin/mail -s "Content of .rhosts file audit report" root 
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e Now make this script executable, verify the owner, and change the group to “root”. 
[root@deep /]# chmod 755 /etc/cron.daily/find_rhosts_files 
[root@deep /]# chown 0.0 /etc/cron.daily/find_rhosts_files 


Each day mail will be sent to “root” with a subject:” Content of .rhosts file audit report” containing 
potential new . rhosts files. 


System is compromised! 
If you believe that your system has been compromised, contact CERT ® Coordination Center or 
your representative in FIRST (Forum of Incident Response and Security Teams). 


Internet Email: cert@cert.org 

CERT Hotline: (+1) 412-268-7090 

Facsimile: (+1) 412-268-6989 

CERT/CC personnel answer 8:00 a.m. — 8:00 p.m. EST (GMT —5)/EDT (GMT —4)) on working 
days; they are on call for emergencies during other hours and on weekends and holidays. 
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Linux Pluggable Authentication Modules 


Abstract 
The Pluggable Authentication Modules (PA™) consists of shared libraries, which enable 
administrators to choose how applications authenticate users. 


Basically, PAM enables the separation of authentication schemes from the applications. This is 
accomplished by providing a library of functions that applications can use for requesting user 
authentications. ssh, pop, imap, etc. are PAM-aware applications, hence these applications can 
be changed from providing a password to providing a voice sample or fingerprint by simply 
changing the PAM modules without having to rewrite any code in these applications. 


The configuration files of the PAM modules are located in the directory /etc/pam.d and the 
modules (shared libraries) themselves are located in the directory /lib/security. The 
/etc/pam.d directory has a collection of named files of its own, e.g. ssh, pop, imap, etc. PAM- 
aware applications that do not have a configuration file will automatically be pointed to the default 
configuration file ‘other’. 


In the next section we will set up some recommended minimum-security restrictions using PAM. 


The password length 

The minimum acceptable password length by default when you install your Linux system is 5. 
This means that when a new user is given access to the server, his/her password length will be at 
minimum 5 mixes of character strings, letter, number, special character etc. This is not enough 
and must be 8 or more. The password length under Linux by the use of its PAm feature is 
controlled by 5 arguments minlen, dcredit, ucredit, lcredit, and ocredit. 


Step 1 

To prevent non-security-minded people or administrators from being able to enter just 5 
characters for the valuable password, edit the rather important /etc/pam.d/passwd file and 
enforce the minimum password length. 


e =Edit the passwd file (vi /etc/pam.d/passwd) and remove the following line: 
password required /1ib/security/pam_stack.so service=system-auth 
Step 2 
Once the above line has been removed from the passwd file, we must remove the following three 
lines as shown below from the system-auth file. This is a bug in the PAM RPM package of Red 


Hat that we must correct here to be able to use this feature with Linux. 


e =©Edit the system-auth file (vi /etc/pam.d/system-—auth) and remove the lines: 


password required /1lib/security/pam_cracklib.so retry=3 
password sufficient /1ib/security/pam_unix.so nullok use_authtok md5 shadow 
password required /1ib/security/pam_deny.so 
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Step 3 
Now add the following lines to /etc/pam.d/passwd. We use the PAM “pam_crack1lib” module 
here with the argument “minlen” to enforce the password length. 


password required /lib/security/pam_cracklib.so retry=3 minlen=12 
password sufficient /1lib/security/pam_unix.so nullok use_authtok md5 
shadow 

password required /1lib/security/pam_deny.so 


After adding the above lines, the /etc/pam.d/passwad file should look like this: 











#SPAM-1.0 

auth required /lib/security/pam_stack.so service=system-auth 
account required /lib/security/pam_stack.so service=system-auth 
password required /lib/security/pam_cracklib.so retry=3 minlen=12 
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 
shadow 

password required /lib/security/pam_deny.so 


And the /etc/pam.d/system-auth file should look like this: 


#SPAM-1.0 
# This file is auto-generated. 
# User changes will be destroyed the next time authconfig is run. 





auth required /lib/security/pam_env.so 

auth sufficient /lib/security/pam_unix.so likeauth nullok 
auth required /lib/security/pam_deny.so 

account required /lib/security/pam_unix.so 

session required /lib/security/pam_limits.so 

session required /lib/security/pam_unix.so 








WARNING: It is important to note that when you set the password for a user under ‘root’, then these 
restrictions don't apply!! This is the case on all Unix OS. The user ‘root’ can override pretty much 
everything. Instead, log as the user account from which you apply this restriction and try to 
change the password. You will see that it works. 





You need to keep in mind that this module includes a credit mechanism. E.g. if you define 
minlen=12, then you will get 1 credit for e.g. including a single digit number in your password, or 
for including a non-alphanumeric character. Getting 1 credit means that the module will accept a 
password of the length of minlen-credit. When you check the parameters of the cracklib module, 
you will see that it has some parameters that let you define what a credit is 


(http://www.us.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam.html). 


For example: 
minlen The following password was accepted 


14 gjtodgsdf1$ 
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You can see that | got 1 credit for a alphanumeric character and a credit for each non- 
alphanumeric character. "gjtodgsd£1$" has a length of 11, 1 credit for alpha-numeric, 2 credits 
for non-alphanumeric character (1 and $) which gives me a credit of 3, hence the password 
length of 11 was accepted. 


At any rate, the minimum length is adjusted by the mixture of types of characters used in the 
password. Using digits (up to the number specified with the "dcredit=" parameter, which 
defaults to 1) or uppercase letters "ucredit" or lowercase letters "1credit" or other types of 
letters "ocredit" will decrease the minimum length by up to four since the default parameter for 
these arguments is 1 and there is four different arguments that you can add. 


A password with 9 lowercase letters in it will pass a minimum length set to 10 unless "Icredit=0" is 
used, because a credit is granted for the use of a lowercase letter. If the mixture includes an 
uppercase letter, a lowercase letter, and a digit, then a minlength of 8 effectively becomes 5. 








NOTE: With the new MD5 passwords capability, which is installed by default in all modern Linux 
operating system, a long password can be used now (up to 256 characters), instead of the Unix 
standard eight letters or less. If you want to change the password length of 8 characters to 
example 16 characters, all you have to do is to replace the number 12 by 20 in the “minlen=12” 
line of the /etc/pam.d/passwd file. 





Disabling console program access 

In a safe environment, where we are sure that console is secured because passwords for BIOS 
and LILO are set and all physical power and reset switches on the system are disabled, it may be 
advantageous to entirely disable all console-equivalent access to programs like shutdown, 
reboot, and halt for regular users on your server. 


e Todo this, run the following command: 
[root@deep /]# rm -£ /etc/security/console.apps/<servicename> 


Where <servicename> is the name of the program to which you wish to disable console- 
equivalent access. Unless you use xdm, however, be careful to not remove the xserver file or 
no one but only ‘root’ will be able to start the X server. (If you always use xdm to start the X 
server, ‘root’ is the only user that needs to start X, in which case you might actually want to 
remove the xserver file). 


e To disable console program access, use the following commands: 
[root@deep /]# rm -£ /etc/security/console.apps/halt 
[root@deep rm -£ /etc/security/console.apps/poweroff 
[root@deep rm -£ /etc/security/console.apps/reboot 
[root@deep rm -£ /etc/security/console.apps/shutdown 
[root@deep rm -£ /etc/security/console.apps/xserver (if removed, root 
will be the only user able to start X). 


This will disable console-equivalent access to programs halt, poweroff, reboot, and 


shutdown. Once again, the program xserver applies only if you installed the Xwindow interface 
on your system. 
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WARNING: If you are following our setup installation, the Xwindow interface is not installed on your 
server and all the files described above will not appear in the /etc/security/console.apps 
directory, so don't pay attention to the above step. 





Disabling all console access 

The Linux-PAwm library installed by default on your system allows the system administrator to 
choose how applications authenticate users, such as for console access, program and file 
access. In order to disable all these accesses for the users, you must comment out all lines that 
refer to pam_console.so in the /etc/pam.d directory. This step is a continuation of the hack 
“Disabling console program access”. The following script will do the trick automatically for you. 


Step 1 
e As ‘root’ creates the disabling. sh script file (touch disabling.sh) and add the 
following lines inside: 


# !/bin/sh 

cd /etc/pam.d 

for iin * ; do 

sed '/[*#].*pam_console.so/s/*/#/' < $i > foo && mv foo $i 
done 


Step 2 


e Make this script executable with the following command and execute it: 
[root@deep /]# chmod 700 disabling.sh 
[root@deep /]# ./disabling.sh 


This will comment out all lines that refer to pam_console.so for all files located under 
/etc/pam.d directory. Once the script has been executed, you can remove it from your system. 


The Login access control table 

On a server environment where authorized and legitimate logins can come from everywhere, it is 
important to have the possibility to use a security file which allow us to have more control over 
users who can connect to the server. What we are looking here is to have more control on not 
allowing some legitimated accounts to login from anywhere. Fortunately, this file exists and is 
called "access.conf", you can find it under your /etc/security directory. 


The access.conf file which comes already installed with your native Linux system allow us to 
control which authorized users can/cannot log in to the server or to the console and from where. 
Don't forget that users access can come everywhere from remote host or directly from the 
console of the system. Configuration of the access.conf file of Linux is not complicated to 
understand. Below | show you how to configure it to be very restrictive and secure. 


Step 1 


By default denying access to every one, is the first step of a reliable security policy. In this way 
we eliminate the possibility of forgetting someone or to making a mistake. 


e Edit the access.conf file (vi /etc/security/access.conf) and add the following 
line at the end of the file. 


-:ALL EXCEPT root gmourani:ALL 
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This access policy means to disallow console logins as well as remote accounts login to all from 
anywhere except for user ‘root’ and ‘gmourani’. With this choice of policy, we deny non- 
networked and remote logins to every user with a shell account on the system from everywhere 
and allow only the selected users. 


Take a note that many possibilities exist as for example allowing the same users ‘root’ and 
‘gmourani’ to log only to the system from remote host with IP address 207.35.78.2. To enable 
this policy, all we need to do is to change the above policy to this one: 


e Edit the access.conf file (vi /etc/security/access.conf) and add the following 
lines at the end of the file. 


-:ALL EXCEPT root gmourani:207.35.78.2 
-: ALL: LOCAL 


Here the second policy line means to disallow all local access to the console for every users even 
for the super-user ‘root’, therefore if you want to log as ‘root’ you need first to log as user 
‘gmourani’ from remote host with IP address 207.35.78.2 and su to ‘root’ (this is why | 
added ‘root’ to the users allowed to connect from remote host 207.35.78.2). 


Step 2 
To be able to use the access.conf feature of Linux, make sure to add the following line to 
/etc/pam.d/login and sshd if you use this service or it will not work. 

e = Edit the login file (vi /etc/pam.d/login) and add the following line. 


account required /1ib/security/pam_access.so 


After adding the above line, the /etc/pam.d/1login file should look like this: 














#SPAM-1.0 

auth required /lib/security/pam_securetty.so 

auth required /lib/security/pam_stack.so service=system-auth 
auth required /lib/security/pam_nologin.so 

account required /lib/security/pam_stack.so service=system-auth 
account required /1ib/security/pam_access.so 

password required /lib/security/pam_stack.so service=system-auth 
session required /lib/security/pam_stack.so service=system-auth 








NOTE: Please read information about possible configurations of this file inside the access.conf 
file since your policies will certainly differ from the example that | show you above. 
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Tighten console permissions for privileged users 

The console.perms security file of Linux, which use the pam_console.so module to operate, 
is designed to give to privileged users at the physical console (virtual terminals and local xdm- 
managed X sessions) capabilities that they would not otherwise have, and to take those 
capabilities away when they are no longer logged in at the console. 


It provides two main kinds of capabilities: file permissions and authentication. When a user logs in 
at the console and no other user is currently logged in at the console, the pam_console.so 
module will change permissions and ownership of files as described in the file 
/etc/security/console.perms. 


Please note that privileged users are nothing in common with regular users you may add to the 
server, they are special users like floppy, cdrom, scanner, etc which in an networking server 
environment are also considered and treated as users. 


Step 1 

The default console.perms configuration file of Linux is secure enough for regular use of the 
system where an Xwindow interface is considered to be installed but in a highly secure 
environment where the Graphical User Interface (GUT) is not installed or where some special 
devices like sound, jaz, etc have no reason to exist, we can tighten the console.perms 
security file of Linux to be more secure by eliminating non-existent or unneeded privileged users 
to have capabilities that they would not otherwise have. 


e Edit the console.perms file (vi /etc/security/console.perms), and change the 
default lines inside this file: 




















# file classes -- these are regular expressions 
<console>=tty[0-9] [0-9]* :[0-9]\.[0-9] : [0-9] 
<xconsole>=: [0-9]\.[0-9] : [0-9] 

# device classes these are shell-style globs 


<floppy>=/dev/fd[0-1]* 

<sound>=/dev/dsp* /dev/audio* /dev/midi* \ 
/dev/mixer* /dev/sequencer 

<cdrom>=/dev/cdrom* /dev/cdwriter* 

<pilot>=/dev/pilot 

<jaz>=/dev/jaz 

<zip>=/dev/zip 

<scanner>=/dev/scanner 

<fb>=/dev/fb /dev/fb[0-9]* 

<kbd>=/dev/kbd 

<joystick>=/dev/js* 

<v41>=/dev/video* /dev/radio* /dev/winradio* /dev/vtx* /dev/vbi* 

<gpm>=/dev/gpmct1 

<dri>=/dev/dri/* /dev/nvidia* 











# permission definitions 


<console> 0660 <floppy> 0660 root.floppy 
<console> 0600 <sound> 0640 root.sys 
<console> 0600 <cdrom> 0600 root.disk 
<console> 0600 <pilot> 0660 root.tty 
<console> 0600 <jaz> 0660 root.disk 
<console> 0600 <zip> 0660 root.disk 
<console> 0600 <scanner> 0600 root 
<console> 0600 <fb> 0600 root 
<console> 0600 <kbd> 0600 root 
<console> 0600 <joystick> 0600 root 
<console> 0600 <v41> 0600 root 
<console> 0700 <gpm> 0700 root 
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<xconsole> 0600 /dev/console 0600 root.root 
<xconsole> 0600 <dri> 0600 root 


To read : 


# file classes -- these are regular expressions 
<console>=tty [0-9] [0-9]* :[0-9]\. [0-9] : [0-9] 


# device classes -- these are shell-style globs 
<floppy>=/dev/fd[0-1]* 

<cdrom>=/dev/cdrom* /dev/cdwriter* 
<pilot>=/dev/pilot 

<fb>=/dev/fb /dev/fb[0-9]* 

<kbd>=/dev/kbd 

<gpm>=/dev/gpmct1 

<dri>=/dev/dri/* /dev/nvidia* 


# permission definitions 
<console> 0660 <floppy> 0660 root.floppy 


<console> 0600 <cdrom> 0600 root.disk 
<console> 0600 <pilot> 0660 root.tty 
<console> 0600 <fb> 0600 root 
<console> 0600 <kbd> 0600 root 
<console> 0700 <gpm> 0700 root 


Here we removed every privileged user related to the Graphical User Interface and others related 
to sound, zip drive, jaz drive, scanner, joystick and video media at the physical console 
on the server. 


Putting limits on resource 

The limits.conf file located under the /etc/security directory can be used to control and 

limit resources for the users on your system. It is important to set resource limits on all your users 
so they can't perform denial of service attacks (number of processes, amount of memory, etc) on 
the server. These limits will have to be set up for the user when he or she logs in. 


For example, limits for all users on your system might look like this. 
Step 1 


e §6Edit the limits.conf file (vi /etc/security/limits.conf) and add or change 
the lines to read: 


hard core 0 
hard rss 5000 
x hard nproc 35 


This says to prohibit the creation of core files “core 0”, restrict the number of processes to 20 
“nproc 20”, and restrict memory usage to 5M “rss 5000” for everyone except the super user 
“root”. All of the above only concerns users who have entered through the login prompt on your 
system. With this kind of quota, you have more control on the processes, core files, and memory 
usage that users may have on your system. The asterisk “*” mean: all users that logs in on the 
server. 


Putting an asterisk “*” to cover all users can pose problem with daemon users account like “www” 
for a Web Server, “mysql” for a SOL Database Server, etc. If we put an asterisk, then, these 
users will be affected by the restriction and limitation of processes or memory usage. 
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To solve the problem, we can choose an existing group name in our system and add every 
regular user to this group. In this manner, the restrictions and limitations will apply to all users 
who are members of this group name only. A special group account named “users” can be used 
for this purpose. 


e §6Edit the limits.conf file (vi /etc/security/limits.conf) and add or change 
the lines to read: 


@users hard core 0 
@users hard rss 5000 
@users hard nproc 35. 


If you decide to use a group name like “@users’” to control and limit resources for the users on 
your system, then it is important to not forget to change the GUI (Group User ID) of these users 
to be “100”. “100” is the numeric value of the user’s ID “users”. 


e The command to create a new user with group name which is set by default to users is: 
[root@deep /]# useradd -g100 admin 


The “-g100” option represents the number of the user’s initial login group and in our case “100” 
is the group account name “users”. The “admin” parameter is the user name we want to add to 
the group name “users”. 








WARNING: Use the same command above for all users on your system you want to be member of 
the “users” group account. It is also preferable to set this parameter first before adding users to 
the system. 





Step 2 
e You must also edit the /etc/pam.d/login file and add the following line to the bottom 
of the file: 
session required /1lib/security/pam_limits.so 


After adding the line above, the /etc/pam.d/1login file should look like this: 














#SPAM-1.0 

auth required /lib/security/pam_securetty.so 

auth required /lib/security/pam_stack.so services=system-auth 
auth required /lib/security/pam_nologin.so 

account required /lib/security/pam_stack.so services=system-auth 
account required /lib/security/pam_access.so 

password required /lib/security/pam_stack.so services=system-auth 
session required /lib/security/pam_stack.so services=system-auth 
session required /lib/security/pam_limits.so 
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Controlling access time to services 

As the Linux-PAM system said, running a well-regulated system occasionally involves restricting 
access to certain services in a selective manner. The time. conf security file, which is provided 
by the pam_time.so module of Linux, offers some time control for access to services offered by 
a system. Its actions are determined through the configuration file called t ime. conf and located 
under /etc/security directory. 


Step 1 
The time.conf file can be configured to deny access to (individual) users based on their name, 
the time of day, the day of week, the service they are applying for and their terminal from which 
they are making their request. 

e Edit the time.conf file (vi /etc/security/time.conf), and add the following line: 


login ; tty* & !ttyp* ; !root !gmourani ; !A10000-2400 


The above time control access line means to deny all user access to console-login at all times 
except for the super-user 'root' and the user 'gmourani'. 


Take a note that many combinations exist as described in the time.conf file, we can, for 
example, allow user ‘admin’ to access the console-login any time except at the weekend and on 
Tuesday from 8AM to 6PM with the following statement. 


e §=6Edit the time.conf file (vi /etc/security/time.conf), and add the following line: 
login ; * ; !admin ; !Wd0000-2400 !Tu0800-1800 
Step 2 
To be able to use the time. conf feature of Linux, make sure to add the following line to 
/etc/pam.d/login and sshd if you use this service or nothing will work. 
e = Edit the login file (vi /etc/pam.d/login) and add the following line. 


account required /lib/security/pam_time.so 


After adding the line above, the /etc/pam.d/1login file should look like this: 




















#SPAM-1.0 

auth required /lib/security/pam_securetty.so 

auth required /lib/security/pam_stack.so services=system-auth 
auth required /lib/security/pam_nologin.so 

account required /lib/security/pam_stack.so services=system-auth 
account required /lib/security/pam_access.so 

account required /1ib/security/pam_time.so 

password required /lib/security/pam_stack.so services=system-auth 
session required /lib/security/pam_stack.so services=system-auth 
session required /lib/security/pam_limits.so 








NOTE: Please read information about possible configurations of this file inside the time. conf file 
since your policies will certainly differ from the examples that | show you above. 
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Blocking; su to root, by one and sundry 

The su (Substitute User) command allows you to become other (existing) users on the system. 
For example you can temporarily become ‘root’ and execute commands as the super-user ‘root’. 
If you don’t want anyone to su to root or want to restrict the su command to certain users then 
uncomment the following line of your su configuration file in the /etc/pam.d directory. We 
highly recommend that you limit the persons allowed to su to the root account. 


Step 1 
e Edit the su file (vi /etc/pam.d/su) and uncomment the following line in the file: 


auth required /1ib/security/pam_wheel.so use_uid 


After this line has been uncommented, the /etc/pam.d/su file should look like this: 




















#SPAM-1.0 

auth sufficient /lib/security/pam_rootok.so 

# Uncomment the following line to implicitly trust users in the “wheel” group. 
#auth sufficient /lib/security/pam_wheel.so trust use_uid 

# Uncomment the following line to require a user to be in the “wheel” group. 
auth required /1ib/security/pam_wheel.so use_uid 

auth required /lib/security/pam_stack.so service=system-auth 
account required /lib/security/pam_stack.so service=system-auth 
password required /lib/security/pam_stack.so service=system-auth 
session required /lib/security/pam_stack.so service=system-auth 
session optional /lib/security/pam_xauth.so 


Which means only those who are members of the “wheel” group can su to root; it also includes 
logging. Note that the “wheel” group is a special account on your system that can be used for 
this purpose. You cannot use any group name you want to make this hack. This hack combined 
with specifying which TTy and vc devices root is allowed to login on will improve your security a 
lot on the system. 


Step 2 
Now that we have defined the “wheel” group in our /etc/pam.d/su file configuration, it is time 
to add some users who will be allowed to su to “root” account. 


e If you want to make, for example, the user “admin” a member of the “wheel” group, and 
thus be able to su to root, use the following command: 


[root@deep /]# usermod -G10 admin 


Which means “Gc” is a list of supplementary groups, where the user is also a member of. “10” is 
the numeric value of the user’s ID “wheel”, and “admin” is the user we want to add to the 
“wheel” group. Use the same command above for all users on your system you want to be able 
to su to “root” account. 








NOTE: For Linux users, who use the Xwindow interface, it is important to note that if you can't su 
in a GNOME terminal, it’s because you've used the wrong terminal. (So don't think that this advice 
doesn't work simply because of a GNOME terminal problem!) 
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Facultative: 

With the latest Linux operating system, a special line exists in the su file /etc/pam.d/su which 
allows you to implicitly trust users in the “wheel” group (for security reasons, | don’t recommend 
using this option). This mean that all users who are members of the “wheel” group can su to root 
without the need to enter the “root” password. 


e To allow users who are members of the “wheel” group to su to root account without the 
need to enter the “root” password, edit the su file (vi /etc/pam.d/su) and 
uncomment the following line in the file: 


auth sufficient /lib/security/pam_wheel.so trust use_uid 


After this line has been uncommented, the /etc/pam.d/su file should look like this: 

















#5PAM-1.0 

auth sufficient /lib/security/pam_rootok.so 

# Uncomment the following line to implicitly trust users in the “wheel” group. 
auth sufficient /1lib/security/pam_wheel.so trust use_uid 

# Uncomment the following line to require a user to be in the “wheel” group. 
auth required /1lib/security/pam_wheel.so use_uid 

auth required /lib/security/pam_stack.so service=system-auth 
account required /lib/security/pam_stack.so service=system-auth 
password required /lib/security/pam_stack.so service=system-auth 
session required /lib/security/pam_stack.so service=system-auth 
session optional /lib/security/pam_xauth.so 
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The gcc 2.96 specs file 

Tuning IDE Hard Disk Performance 
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Linux General System Optimization 


Abstract 

At this stage of your configuration, you should now have a Linux server optimally configured and 
secured. Our server contains the most essential package and programs installed to be able to 
work properly and the most essential general system security configuration. Before we continue 
and begin to install the services we want to share with our customers, it is important to tune our 
Linux server. 


The tuning we will perform in the following part will be applied to the whole system. It also applies 
to present as well as future programs, such as services that we will later install. Generally, if you 
don’t use a x386 Intel processor, Red Hat Linux out of the box is not optimized for your specific 
CPU architecture (most people now run Linux on a Pentium processor). The sections below will 
guide you through different steps to optimize your Linux server for your specific processor, 
memory, and network. 


Static vs. shared libraries 

During compilation and build time of a program, the last stage (where all the parts of the program 
are joined together) is to link the software through the Linux libraries if needed. These libraries, 
which come in both shared and static formats, contain common system code which are kept in 
one place and shared between programs. Obviously there are some tasks that many programs 
will want to do, like opening files, and the codes that perform these functions are provided by the 
Linux libraries. On many Linux system these libraries files can be found into the /1ib, 
/usr/lib, and /usr/share directories. The default behavior of Linux is to link shared and if it 
cannot find the shared libraries, then is to link statically. 


One of the differences between using static or shared libraries are: When using a static library, 
the linker finds the bits that the program modules need, and directly copies them into the 
executable output file that it generates. For shared libraries, it leaves a note in the output saying, 
“when this program is run, it will first have to load this library”. 


As Gregory A Lundberg from the WU-FTPD Development Group said: 
Performance-wise, for most systems, worrying about static vs. dynamic is a moot point. There 
simply isn’t enough difference to measure. 


Security-wise there are valid arguments both ways. Static linking is less secure because it locks 
in the library bugs; unless you rebuild all such programs, your system won't be properly secured. 
Static linking is more secure because it avoids library attacks. The choice is yours: run a daemon 
which will remain vulnerable to library attacks, or run one which remains vulnerable to library 
bugs. 


Portability-wise, the only difference is the size of the file you'll be transferring between systems. 


To make setup easier, a statically linked daemon is only needed when the libraries are 
completely unavailable. That is rarely the case. Finally, on a busy system (when performance 
becomes a true issue), by statically linking you'll be DEGRADING performance. Being bigger, as 
more and more statically linked daemons are running, your system begins to swap sooner and 
since none of the code is shared, swapping will have a larger effect on performance. So, when 
looking to improve performance, you'll want to use shared libraries as much as possible. 
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If you decide to compile program statically, you will generally need to add the “-static” and/or 
“--disable-shared” options flag to your compile line during compilation of your software. Be 
aware that it is not always possible to use and compile statically all programs, this highly depends 
on how developers are coding and developed the software. 


To resume: 


1. If you want to compile program with shared libraries, you will use something like the 
following: 
CFLAGS='-03 -march=i686 -mcpu=i686 -funroll-loops -fomit-—frame-pointer' 
./Configure \ 


2. If you want to compile program with static libraries, you will use something like the 
following: 
CFLAGS='-03 -static -march=i686 -mcpu=i686 -funroll-loops -fomit-—frame-pointer' 
./Configure \ 
--disable-shared \ 








WARNING: On Linux, static libraries have names like 1ibc.a, while shared libraries are called 
libc.so.x.y.z where x.y.z is some form of version number since it would be quite a pain to 
recompile programs each time the version number changed so instead programs reference 
libraries by these shorter names and depend on the dynamic linker to make these shorter names 
symlinks to the current version. Shared libraries often have links pointing to them. 





The Glibc 2.2 library of Linux 

The Glibc 2.2, which replaces the libc4 and libc5 that came before it, is the latest version 

of the GNU c Library for Linux and it contains standard libraries used by multiple programs on the 
system as described in the previous section. This particular package contains the most important 
sets of shared and static libraries, which provides the core functionality for c programs to run and 
without it, a Linux system would not function. 


Under Red Hat Linux this package comes configured to run under i386 processor for portability 
reasons and this will pose problems for us if we want to compile programs under Linux because 
even if we have put in all the optimization flags we need to improve the speed of our server, when 
the compiler includes static or shared libraries files to our program, these library files will run 
optimized for an i386 processor. 


In this case, our program will have some parts of its binaries optimized for an i686 processor (the 
program itself) and another parts optimized for an i386 processor (the GLIBC libraries). To solve 
the problem, we have made new RPM’s packages at your disposal at the following Internet 
address: 


e Go to this URL and download the following RPM’s packages for an i686 CPU: 
URL: No longer available (Use GLIBC for i686 from the Red Hat Linnux CD-ROM) 


glibc-2.2.2-1.i686.rom 
glibc-common-2.2.2-1.i686.rpm 
glibc-devel-2.2.2-1.i686.rom 

For each RPM for your particular architecture, run: 


[root@deep /]# rpm -Uvh [filename] 
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Why Linux programs are distributed as source 

Linux has been ported to run on a large number of different machines and rather than provide a 
copy for each machine Linux can run on, it's much simpler just to distribute the source and let the 
end user compile it. The creators of the distribution have no idea if you're going to be running it 
on a 386 or on a Pentium IIl and above so they have to write programs that work on all 
processors and this is where the problem comes, because all the programs that were installed 
with your distribution are going to be compiled so they work on the 386 for portability, meaning 
that they don't use any new feature like MMX which can only be found on newer generation of 
processors. 


Fortunately, various compiler options exist to optimize program you want to install under Linux for 
your specific CPU architecture. This is great for those of us that want to tweak every ounce of 
performance out of the program, now we get to decide how the program is compiled. If you want 
some speed out of your programs you've got to know a fair amount about the various option flags 
you can use to compile. 


The first thing you want to set is your CPU type, that's done with the “-march=cpu_type” 
(processor machine architecture) flag, an example would be “-march=i 686” or “-march=k6’, 
this will allow the compiler to select the appropriate optimizations for the processor, but this is 
only the beginning of what can be done. 


You can set the “-o” flag anywhere from 1 to 3 to tell the compiler how aggressive to be with the 
optimizations, “-03” will produce the fastest programs assuming the compiler didn't optimize an 
important part of a subroutine out. The next thing you might want to do is check out the “—£” 
options of the compiler, these are things like “-funroll-loops’”, and “-fomit-frame- 
pointer”. 








WARNING: Compiling with the “-fomit-frame-—pointer” switch option will use the stack for 
accessing variables. Unfortunately, debugging is almost impossible with this option. Also take 
special attention to the above optimization number “-03”; “o” is a capital o and nota 0 (zero). 





Some misunderstanding in the compiler flags options 

At lot of discussions exist in the Linux community about the “-o” option and its level numbers. 
Some Linux users try to convince that level number up to “—03” like “-09” will produce faster 
program. The “—o9” flag doesn't do anything over “-03”, if you don't believe me make a small file, 
call it testO3.c and see: 


Step 1 
e Create the test03.c file with the following command: 
[root@deep tmp]# touch test03.c 


Step 2 
e Run the Gcc compiler with “-o3” flag through the test03.c file with the command: 
[root@deep tmp]# gcc -03 -S -fverbose-asm test03.c 
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Step 3 
Look at test03.s that it made, then run again with “-o9” and compare the output. 


e Create the test09.c file with the following command: 
[root@deep tmp]# touch test09.c 


Step 4 
e Run the Gcc compiler again with “-o9” flag through the test09.c file with the 


command: 
[root@deep tmp]# gcc -O9 -S -fverbose-asm test09.c 


Step 5 
Now if you compare the output you will see no difference between the both files. 


e To compare the output, use the following command: 
[root@deep tmp]# diff testO3.s testO9.s > difference 








WARNING: The “—03” flag level number is the best and highest optimization flag you can use 
during optimization of programs under Linux. 





The gcc 2.96 specs file 

The /usr/lib/gcec-lib/i386-redhat-linux/2.96/specs file of Red Hat Linux is a set of 
defines that the gcc compiler uses internally to set various aspects of the compile environment. 
All customizations that you put in this file will apply for the entire variable environment on your 
system, so putting optimization flags in this file is a good choice. 


To squeeze the maximum performance from your x86 programs, you can use full optimization 
when compiling with the “-o3” flag. Many programs contain “-02” in the Makefile. The “-03” level 
number is the highest level of optimization. It will increase the size of what it produces, but it runs 
faster. You can also use the “-march=cpu_type” switch to optimize the program for the CPU 
listed to the best of GCC’s ability. However, the resulting code will only be run able on the 
indicated CPU or higher. 


Below are the optimization flags that we recommend you to put in your /usr/1lib/gcec- 
lib/i386-redhat-linux/2.96/specs file depending on your CPU architecture. The 
optimization options apply only when we compile and install a new program in our server. These 
optimizations don't play any role in our Linux base system; it just tells our compiler to optimize the 
new programs that we will install with the optimization flags we have specified in the 
/usr/lib/gcc-lib/i386-redhat-—linux/2.96/specs file. Adding options listed below 
depending of your CPU architecture to the gcc 2.96 specs file will save you having to change 
every CFLAGS in future Makefiles. 


Step 1 
The first thing to do is to verify the compiler version installed on your Linux server. 


e To verify the compiler version installed on your system, use the command: 
[root@deep /]# gcc -v 
Reading specs from /usr/lib/gcc-lib/i386-redhat-linux/2.96/specs 
gcc version 2.96 20000731 (Red Hat Linux 7.1 2.96-81) 


106 





Step 2 


General System Optimization | 0 
CHAPTER|/5 


For CPU i686 or PentiumPro, Pentium II, Pentium III, and Athlon 


Edit the /usr/lib/gcc-lib/i386-redhat-l 
You'll see a section like the following: 


*cpp_cpu_default: 
-D__tune_i386__ 


*cpp_cpu: 
-Acpu (i386) -Amachine (i386) %{!ansi:-Di3 
'mcpu*:-D__tune_i386__ }}%{march=1i486:- 


inux/2.96/specs file, scroll down a ways... 


86} -D__i386 -D__i386__ %{march=i386:% 
D__i1486 -D__1486__ %{!mcpu*:- 




















D__tune_i486__ }}%{march=pentium|march=i586:-D__pentium -—D__pentium__ & 
'mcpu*:-D__tune_pentium__ }}%{march=pentiumpro|march=i686:-D__pentiumpro — 
D__pentiumpro__ S{!mcpu*:-D__tune_pentiumpro__ }}%{march=k6:-D__k6 -D__k6__ % 
'mcpu* :-D__tune_k6 }}S{march=athlon:-D__athlon -D__athlon__ %{!mcpu*:- 
D__tune_athlon__ }}%{m386|mcpu=i386:-D__tune_i386__ }%{m486|mcpu=i486:- 
D__tune_i486__ }%{mpentium|mcpu=pentium|mcpu=i586:-D__tune_pentium__ }% 





mpentiumpro |mcpu=pentiumpro|mcpu=1686: 





tune_athlon 





D__tune_pentiumpro__ }%{mcpu=k6:- 
}S{!march*:%{!mcpu*:%{!m386:% 





D__tune_k6__ }%{mcpu=athlon:-D 
'm486:%{!mpentium*:% (cpp_cpu_default) }} 





*ccl cpu: 
S{!mcpu*: %{m386:-mcpu=i386} 
{mpentiumpro:-mcpu=pentiumpro} } 


Change it for the following: 


*cpp_cpu_default: 
-D__tune_i686__ 


*cpp_cpu: 
-Acpu (i386) -Amachine (i386) %{!ansi:-Di3 
'mcpu*:-D__tune_i386__ }}%{march=1i486:- 


%{m486:-mcpu=i486} 


}}} 


z 
© 





%{mpentium: —-mcpu=pentium} 


86} -D__i386 -D__i386__ %{march=i386:% 
D__i1486 -D__i486__ %{!mcpu*:- 

















D__tune_i486__ }}%{march=pentium|march=i586:-D__pentium -D__pentium__ & 
'mcpu*:-D__tune_pentium__ }}%{march=pentiumpro|march=1i686:-D__pentiumpro —- 
D__pentiumpro__ {!mcpu*:-D__tune_pentiumpro__ }}%{march=k6:-D__k6 -D__k6__ % 
'mcpu*:-D__tune_k6 }}S{march=athlon:-D__athlon -D__athlon__ %{!mcpu*:- 
D__tune_athlon__ }}%{m386|mcpu=i386:-D__tune_i386__ }%{m486|mcpu=i486:- 
D__tune_i486__ }%{mpentium|mcpu=pentium|mcpu=i586:-D__tune_pentium__ }% 








mpentiumpro |mcpu=pentiumpro|mcpu=1i686: 
D__tune_k6__ }%{mcpu=athlon:-D 





tune_athlon 





D__tune_pentiumpro__ }%{mcpu=k6:- 
}S{!march*:%{!mcpu*:%{!m386:% 








'm486:%{!mpentium*:% (cpp_cpu_default) }} 


*ecl cpus 
${!mcpu*: -O3 -march=i686 -funroll-loops 


}}} 


-fomit—frame-pointer %{m386:- 





mcpu=i386} %{m486:-—mcpu=i486} 
mcpu=pentiumpro} } 


S{mpentium: 


mcpu=pentium} %{mpentiumpro:- 








WARNING: Make sure that you’re putting -03 and 


not —03 (dash zero three). 
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For CPU i586 or Pentium 
Edit the /usr/lib/gcc-1ib/i386-redhat-linux/2.96/specs file, scroll down a ways... 
You'll see a section like the following: 


*cpp_cpu_default: 
-D__tune_i386__ 


*cpp_cpu: 
-Acpu (i386) -Amachine (i386) %{!ansi:—-Di386} -D__i386 -D__i386__ %{march=1i386:% 
'mcepu*:-D__tune_i386__ }}%{march=i486:-D__i486 -D__i486__ %{!mcpu*:- 


























D__tune_i486__ }}%{march=pentium|march=i586:-D__pentium -D__pentium__ & 
'mcpu*:-D__tune_pentium__ }}%{march=pentiumpro|march=i686:-D__pentiumpro — 
D__pentiumpro__ S{!mcpu*:-D__tune_pentiumpro__ }}%{march=k6:-D__k6 -D__k6__ % 
'mcpu* :-D__tune_k6 }}S{march=athlon:-D__athlon -D__athlon__ %{!mcpu*:- 
D__tune_athlon__ }}%{m386|mcpu=i386:-D__tune_i386__ }%{m486|mcpu=i486:- 
D__tune_i486__ }%{mpentium|mcpu=pentium|mcpu=i586:-D__tune_pentium__ }% 
mpentiumpro |mcpu=pentiumpro|mcpu=i686:-D__tune_pentiumpro__ }%{mcpu=k6:- 
D__tune_k6__ }%{mcpu=athlon:-D__tune_athlon }S{!march*:%{!mcpu*:%{!m386:% 








'm486:%{!mpentium*:% (cpp_cpu_default) }}}}} 


*ccl_cpu: 
S{!mcpu*: %S{m386:-mcpu=i386} %{m486:-mcpu=i486} %S{mpentium:-mcpu=pentium} % 
{mpentiumpro:-—mcpu=pentiumpro} } 





Change it for the following: 


*cpp_cpu_default: 
-D__tune_i586__ 


*cpp_cpu: 
-Acpu (i386) -Amachine(i386) %{!ansi:-Di386} -D__i386 -D__i386__ %{march=i386:% 
'mcpu*:-D__tune_i386__ }}%{march=1i486:-D__i1486 -D__i486__ %{!mcpu*:- 


























D__tune_i486__ }}%{march=pentium|march=i586:-D__pentium -—D__pentium__ & 
'mcpu*:-D__tune_pentium__ }}%{march=pentiumpro|march=1i686:-D__pentiumpro —- 
D__pentiumpro__ S{!mcpu*:-D__tune_pentiumpro__ }}%{march=k6:-D__k6 -D__k6__ % 
'mcpu*:-D__tune_k6 }}S{march=athlon:-D__athlon -D__athlon__ %{!mcpu*:- 
D__tune_athlon__ }}%{m386|mcpu=i386:-D__tune_i386__ }%{m486|mcpu=i486:- 
D__tune_i486__ }%{mpentium|mcpu=pentium|mcpu=i586:-D__tune_pentium__ }% 
mpentiumpro |mcpu=pentiumpro|mcpu=1i686:-D__tune_pentiumpro__ }%{mcpu=k6:- 
D__tune_k6__ }%{mcpu=athlon:-D__tune_athlon }S{!march*:%{!mcpu*:%{!m386:% 








'm486:%{!mpentium*:% (cpp_cpu_default) }}}}} 


*ccl_cpu: 

${!mcpu*: -O3 -march=i586 -funroll-loops —-fomit-—frame-pointer %{m386:- 
mcpu=i386} %{m486:-mcpu=i486} %{mpentium:-mcpu=pentium} %{mpentiumpro:- 
mcpu=pentiumpro} } 











WARNING: Make sure that you’re putting -03 and not —03 (dash zero three). 
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For CPU i486 
Edit the /usr/1lib/gcc-1ib/i386-redhat-linux/2.96/specs file, scroll down a ways... 
You'll see a section like the following: 


*cpp_cpu_default: 
-D__tune_i386__ 


*cpp_cpu: 
-Acpu (i386) -Amachine (i386) %{!ansi:—-Di386} -D__i386 -D__i386__ %{march=1i386:% 
'mcepu*:-D__tune_i386__ }}%{march=i486:-D__i486 -D__i486__ %{!mcpu*:- 


























D__tune_i486__ }}%{march=pentium|march=i586:-D__pentium -D__pentium__ & 
'mcpu*:-D__tune_pentium__ }}%{march=pentiumpro|march=i686:-D__pentiumpro — 
D__pentiumpro__ S{!mcpu*:-D__tune_pentiumpro__ }}%{march=k6:-D__k6 -D__k6__ % 
'mcpu* :-D__tune_k6 }}S{march=athlon:-D__athlon -D__athlon__ %{!mcpu*:- 
D__tune_athlon__ }}%{m386|mcpu=i386:-D__tune_i386__ }%{m486|mcpu=i486:- 
D__tune_i486__ }%{mpentium|mcpu=pentium|mcpu=i586:-D__tune_pentium__ }% 
mpentiumpro |mcpu=pentiumpro|mcpu=i686:-D__tune_pentiumpro__ }%{mcpu=k6:- 
D__tune_k6__ }%{mcpu=athlon:-D__tune_athlon }S{!march*:%{!mcpu*:%{!m386:% 








'm486:%{!mpentium*:% (cpp_cpu_default) }}}}} 


*ccl_cpu: 
S{!mcpu*: %S{m386:-mcpu=i386} %{m486:-mcpu=i486} %S{mpentium:-mcpu=pentium} % 
{mpentiumpro:-—mcpu=pentiumpro} } 





Change it for the following: 


*cpp_cpu_default: 
-D__tune_i486__ 


*cpp_cpu: 
-Acpu (i386) -Amachine(i386) %{!ansi:-Di386} -D__i386 -D__i386__ %{march=i386:% 
'mcpu*:-D__tune_i386__ }}%{march=1i486:-D__i1486 -D__i486__ %{!mcpu*:- 


























D__tune_i486__ }}%{march=pentium|march=i586:-D__pentium -—D__pentium__ & 
'mcpu*:-D__tune_pentium__ }}%{march=pentiumpro|march=i686:-D__pentiumpro — 
D__pentiumpro__ S{!mcpu*:-D__tune_pentiumpro__ }}%{march=k6:-D__k6 -D__k6__ % 
'mcpu*:-D__tune_k6 }}S{march=athlon:-D__athlon -D__athlon__ %{!mcpu*:- 
D__tune_athlon__ }}%{m386|mcpu=i386:-D__tune_i386__ }%{m486|mcpu=i486:- 
D__tune_i486__ }%{mpentium|mcpu=pentium|mcpu=i586:-D__tune_pentium__ }% 
mpentiumpro|mcpu=pentiumpro|mcpu=i686:-D__tune_pentiumpro__ }%{mcpu=k6:- 
D__tune_k6__ }%{mcpu=athlon:-D__tune_athlon }S{!march*:%{!mcpu*:%{!m386:% 








'm486:%{!mpentium*:% (cpp_cpu_default) }}}}} 


*ccl_cpu: 

${!mcpu*: -O3 -march=i486 -funroll-loops -fomit-—frame-pointer %{m386:- 
mcpu=i386} %{m486:-—mcpu=i486} %{mpentium:-mcpu=pentium} %{mpentiumpro:- 
mcpu=pentiumpro} } 











WARNING: Make sure that you’re putting -03 and not —03 (dash zero three). 
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*cpp_cpu_default: 
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inux/2.96/specs file, scroll down a ways... 


86} -D__i386 -D__i386__ %{march=i386:% 
D__ i486 -D__i486__ %{!mcpu*:- 




















D__tune_i486__ }}%{march=pentium|march=i586:-D__pentium -D__pentium__ & 
'mcpu*:-D__tune_pentium__ }}%{march=pentiumpro|march=i686:-D__pentiumpro — 
D__pentiumpro__ S{!mcpu*:-D__tune_pentiumpro__ }}%{march=k6:-D__k6 -D__k6__ % 
'mcpu* :-D__tune_k6 }}S{march=athlon:-D__athlon -D__athlon__ %{!mcpu*:- 
D__tune_athlon__ }}%{m386|mcpu=i386:-D__tune_i386__ }%{m486|mcpu=i486:- 
D__tune_i486__ }%{mpentium|mcpu=pentium|mcpu=i586:-D__tune_pentium__ }% 
mpentiumpro |mcpu=pentiumpro|mcpu=i686:-D__tune_pentiumpro__ }%{mcpu=k6:- 








D__tune_k6__ }%{mcpu=athlion:-D 


tune_athlon 


}S{!march*:%{!mcpu*:%{!m386:% 








'm486:%5{!mpentium*:% (cpp_cpu_default) }} 
*ccl_cpu: 

S{!mcpu*: %{m386:-mcpu=i386} 
{mpentiumpro:-—mcpu=pentiumpro} } 


Change it for the following: 


*cpp_cpu_default: 


-D__tune_k6__ 
*cpp_cpu: 
-Acpu (i386) -Amachine (i386) %{!ansi:-Di3 


'mcpu*:-D__tune_i386__ }}%{march=1i486:- 


%{m486:-mcpu=i486} 


}}} 


z 
© 





%{mpentium: —mcpu=pentium} 


86} -D__i386 -D__i386__ %{march=i386:% 
D__i1486 -D__i486__ %{!mcpu*:- 

















D__tune_i486__ }}%{march=pentium|march=i586:-D__pentium -—D__pentium__ & 
'mcpu*:-D__tune_pentium__ }}%{march=pentiumpro|march=1i686:-D__pentiumpro —- 
D__pentiumpro__ S{!mcpu*:-D__tune_pentiumpro__ }}%{march=k6:-D__k6 -D__k6__ % 
'mcpu*:-D__tune_k6 }}S{march=athlon:-D__athlon -D__athlon__ %{!mcpu*:- 
D__tune_athlon__ }}%{m386|mcpu=i386:-D__tune_i386__ }%{m486|mcpu=i486:- 
D__tune_i486__ }%{mpentium|mcpu=pentium|mcpu=i586:-D__tune_pentium__ }% 





mpentiumpro |mcpu=pentiumpro|mcpu=1686: 
D__tune_k6__ }%{mcpu=athlon:-D 





tune_athlon 





D__tune_pentiumpro__ }%{mcpu=k6:- 
}S{!march*:%{!mcpu*:%{!m386:% 








'm486:%5{!mpentium*:% (cpp_cpu_default) }} 


*ccl_cpu: 


}}} 


${!mcpu*: -O3 -march=k6 -funroll-loops -fomit-frame-pointer %{m386:-mcpu=i386} 





%{m486:-mcpu=i486} 


%{mpentium: -mcpu=pentium} 


%{mpentiumpro:-mcpu=pentiumpro} } 








WARNING: Make sure that you’re putting -03 and 


not —03 (dash zero three). 
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Step3 
Once our optimization flags have been applied to the gcc 2.96 specs file, it time to verify if the 
modification work. 


e To verify if the optimization work, use the following commands: 
[root@deep tmp]# touch cpu.c 
[root@deep tmp]# gcc cpu.c -S -fverbose-asm 
[root@deep tmp]# less cpu.s 


What you'll get is a file that contains depending of options you have chose, something like: 


.file "cpu.c" 

.version "01.01" 
GNU C version 2.96 20000731 (Red Hat Linux 7.1) (i386-redhat-linux) compiled 
by GNU C version 2.96 20000731 (Red Hat Linux 7.1). 


























options passed: 03 -march=1686 -—funroll-loops -fomit-—frame-pointer 
—fverbose-asm 

options enabled: fdefer-pop -fomit-—frame-pointer 

-foptimize-sibling-calls -fcse-follow-jumps -fcse-skip-blocks 

—fexpensive-optimizations -fthread-jumps -fstrength-reduc funroll-loops 
fpeephol fforce-mem -ffunction-cs finline-functions -—finline 

















fkeep-static-consts -fcaller-saves -fpcc-struct-return -fgcs 
frerun-cse-after-loop -frerun-loop-opt -fdelete-null-pointer-checks 
-fschedule-insns2 -—fsched-interblock -fsched-spec -fbranch-count-reg 
-fnew-exceptions -fcommon -—fverbose-asm -—fgnu-linker -fregmov 
-foptimize-register-mov fargument-alias -fstrict-aliasing -fident 
fpeephole2 -fmath-errno -m80387 -mhard-float -mno-soft-float -mi fp 
mfp-ret-—in-387 -march=1i686 



































gcc2_compiled.: 
-ident "GCC: (GNU) 2.96 20000731 (Red Hat Linux 7.1 2.96-81)" 








WARNING: In our example we are optimized the specs file for a i686 CPU processor. It is important 
to note that most of the “-£” options are automatically included when you use “-O3” and don't 
need to be specified again. The changes that were shown were made so that a command like 
"gcc" would really be the command "gcc -march=i686" without having to change every single 
Makefile which can really be a pain. 





Below is the explanation of the different optimization options we use: 


e The “-march=cpu_type” optimization flag 
The “-march=cpu_type” optimization option will set the default CPU to use for the 
machine type when scheduling instructions. 


e The “-funroll-loops” optimization flag 
The “-funroll-—-loops” optimization option will perform the optimization of loop 
unrolling and will do it only for loops whose number of iterations can be determined at 
compile time or run time. 


e The “-fomit-frame-pointer” optimization flag 
The “-fomit-frame-pointer” optimization option, one of the most interesting, will 
allow the program to not keep the frame pointer in a register for functions that don't need 
one. This avoids the instructions to save, set up and restores frame pointers; it also 
makes an extra register available in many functions and makes debugging impossible on 
most machines. 
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WARNING: All future optimizations that we will describe in this book refer by default to a Pentium 
PRO/II/IIl and higher i686 CPU family. So you must adjust the compilation flags for your specific 
CPU processor type in the /usr/lib/gcc-lib/i386-redhat-linux/2.96/specs file and 
during your compilation time. 





Tuning IDE Hard Disk Performance 

The hdparm is a tool, which can be used to tune and improve the performance of your IDE hard 
disk. By default, any IDE drives you have in your Linux system are not optimized. Even if you 
have an ULTRA DMA system you will not be able to take full advantage of its speed if you are not 
using the hdparm tool to enable its features. This is because there is many different hard drive 
makes and models and Linux cannot know every feature of each one. 








Performance increases have been reported on massive disk I/O operations by setting the IDE 
drivers to use DMA, 32-bit transfers and multiple sector modes. The kernel seems to use more 
conservative settings unless told otherwise. The magic command to change the setting of your 
drive is hdparm. 





Before going into the optimization of your hard drive, it is important to verify that the hdparm 
package is installed in your system. If you have followed every step during the installation of 
Linux on your computer, then this package is not installed. 


> To verify if hdparm package is installed on your system, use the command: 
[root@deep /]# rpm -q hdparm 
package hdparm is not installed 


If the hdparm package seems not to be installed, you'll need to mount your CD-ROM drive 
containing the Linux CD-ROM Part 1 and install it. 


e To mount the CD-ROM drive, use the following commands: 
[root@deep /]# mount /dev/cdrom /mnt/cdrom/ 
had: ATAPI 32X CD-ROM drive, 128kB Cache 
mount: block device dev/cdrom is write-protected, mounting read-only 


e To install the hdparm package on your Linux system, use the following command: 
[root@deep /]# ed /mnt/cdrom/RedHat /RPMS/ 
[root@deep RPMS]# rpm —-Uvh hdparm-version.i386.rpm 
hdparm HREHE EEE EE EEE HE EE EEE EE HE EEE HE ERE EH EE HE HEE RHE HE HEHE SH 


e To unmount your CD-ROM drive, use the following command: 
[root@deep RPMS]# ed /; umount /mnt/cdrom/ 


Once hdparm package is installed on the system, it is time to go into the optimization of your 
hard drive. It is important to note that depending on your model and make, there will be some 
parameters that will apply and other that don't. It is to your responsibility to know and understand 
your disk drive before applying any optimization parameters as described below. 


Finally, and especially for Ult raDMA systems, it is vital to verify under your BIOS settings if the 


parameters related to DMA support on your computer are enabled or you will inevitably break your 
hard disk. You have been warned. 
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Step 1 

The first parameter applies to the majority of all modern drives and models in the market and 
enables 32-bit I/O over PCI buses. This option is one of the most important and will usually 
double the speed of your drive. 


e To enable 32-bit I/O over the PCI buses, use the following command: 
[root@deep /]# /sbin/hdparm -c3 /dev/hda (or hdb, hdc etc). 


This will usually, depending on your IDE Disk Drive model, cut the timing buffered disk reads time 
by two. The hdparm (8) manpage says that you may need to use “-c3” for many chipsets since it 
works with nearly all 32-bit IDE chipsets. All (E) IDE drives still have only a 16-bit connection 
over the ribbon cable from the interface card. 











— 








Step 2 
The second parameter applies only on standard DMa disk and will activate the simple DMA feature 
of the disk. This feature is for old disk drives with DMA capabilities. 


e To enable DMA, use the following command: 
[root@deep /]# /sbin/hdparm -d1 /dev/hda (or hdb, hdc etc). 


This may depend on support for your motherboard chipset being compiled into your kernel. Also, 
this command will enable DMA support for your hard drive only for interfaces which support DMA, it 
will cut the timing buffered disk reads time and will improve the performance by two. 


Step 3 
Multiword DMA mode 2, also kown as ATA2 disk drive is the successor of the simple DMA drive. If 
you have this kind of hard drive, then you must enable the parameter in your Linux system. 


e Toenable multiword DMA mode 2 transfers, use the following command: 
[root@deep /]# /sbin/hdparm -d1 -X34 /dev/hda (or hdb, hdc etc). 





This sets the IDE transfer mode for newer (E) IDE/ATA2 drives. (Check your hardware manual 
to see if you have it). 














Step 4 
As for DMA mode 2, the Ult raDMA mode 2 is an improvement of the DMA technology. If you have 
this kind of drive in your system, then choose this mode. 


e To enable UltraDMA mode 2 transfers, use the following command: 
[root@deep /]# /sbin/hdparm -d1 -x66 /dev/hda (or hdb, hdc etc) 


See your manual page about hdparm for more information. USE THIS OPTION WITH EXTREME 
CAUTION! 


Step 5 

The UltraDMA mode 4 is one of the latest entries and one of the most popular at this time; it is 
also known and referred as ATA/66. | guess that most of you have this kind of drive installed and 
if it is the case then it is the one that you must choose for sure. 


e To enable UltraDMA mode4 transfers, use the following command: 
[root@deep /]# /sbin/hdparm -d1 -X12 -x68 /dev/hda (or hdb, hdc etc) 
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This will enable Ul1t raDMA ATA/66 mode on your drive. See your manual page about hdparm 
for more information. USE THIS OPTION WITH EXTREME CAUTION! 


Step 6 

Multiple sector mode (aka IDE Block Mode), is a feature of most modern IDE hard drives, 
permitting the transfer of multiple sectors per I/O interrupt, rather than the usual one sector per 
interrupt. When this feature is enabled, it typically reduces operating system overhead for disk I/O 
by 30-50%. On many systems it also provides increased data throughput of anywhere from 5% to 
50%. 








e To set multiple sector mode I/O, use the following command: 
[root@deep /]# /sbin/hdparm -mxx /dev/hda (or hdb, hdc etc) 


Where “xx” is the maximum setting supported by your drive. The “-i” flag can be used to find the 
maximum setting supported by an installed drive: look for MaxMultSect in the output. 


e To find the maximum setting of your drive, use the following command: 
[root@deep /]# /sbin/hdparm -i /dev/hda (or hdb, hdc etc) 


/dev/hda: 





odel=QUANTUM FIREBALLP LM15, FwRev=A35.0700, SerialNo=883012661990 
Config={ HardSect NotMFM HdSw>15uSec Fixed DTR>10Mbs } 
RawCHS=16383/16/63, TrkSize=32256, SectSize=21298, ECCbytes=4 
BuffType=3 (DualPortCache), BuffSize=1900kB, MaxMultSect=16, MultSect=16 
DblWordIO=no, Ol1dPIO=2, DMA=yes, O1dDMA=2 

CurCHS=16383/16/63, CurSects=-66060037, LBA=yes, LBAsects=29336832 
tDMA={min:120,rec:120}, DMA modes: mword0 mwordl mword2 

IORDY=on/off, tPIO={min:120,w/IORDY:120}, PIO modes: mode3 mode4 

UDMA modes: modeQ model mode2 mode3 *mode4 

















Step 7 

The get/set sector count is used to improve performance in sequential reads of large files! The 
default setting is 8 sectors (4KB) and we will double and change it for 16. USE THIS OPTION 
WITH EXTREME CAUTION! 


e To improve the get/set sector count for file system read-ahead, use the command: 
[root@deep /]# /sbin/hdparm -al6 /dev/hda (or hdb, hdc etc) 


Step 8 
The get/set interrupt-unmask flag will greatly improve Linux's responsiveness and eliminates 
"serial port overrun" errors. USE THIS OPTION WITH EXTREME CAUTION! 


e To improve and get/set interrupt-unmask flag for the drive, use the command: 
[root@deep /]# /sbin/hdparm -ul /dev/hda (or hdb, hdc etc) 


Step 9 
The IDE drive's write-caching feature will improve the performance of the hard disk. USE THIS 
OPTION WITH EXTREME CAUTION! 





e Toenable the IDE drive's write-caching feature, use the following command: 
[root@deep /]# /sbin/hdparm -W1 /dev/hda (or hdb, hdc etc) 
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Step 10 
These options will allow the drive to retain your settings over a soft reset (as done during the error 
recovery sequence). It is important to note that not all drives support this feature. 


e To enables the drive to retain your settings, use the command: 
[root@deep /]# /sbin/hdparm -K1 -k1 /dev/hda (or hdb, hdc etc) 


Step 11 
Once every tuning related to your specific drive have been set, you can test the results and see if 
you want to keep them or not. 


e You can test the results of your changes by running hdparm in performance test mode: 
[root@deep /]# /sbin/hdparm -vtT /dev/hda (or hdb, hdc etc). 


/dev/hda: 

multcount = 16 (on) 

I/O support = 3 (32-bit w/sync) 

unmaskirg = 1 (on) 

using_dma = 1 (on) 

keepsettings = 1 (on) 

nowerr = O (off) 

readonly = 0 (off) 

readahead = 16 (on) 

geometry = 1826/255/63, sectors = 29336832, start = 0 


Timing buffer-cache reads: 128 MB in 0.85 seconds = 150.59 MB/sec 
Timing buffered disk reads: 64 MB in 2.54 seconds = 25.20 MB/sec 





Once you have a set of hdparm options, you can put the commands in your 
/etc/rc.d/rc.local file to run it every time you reboot the machine. When running from 
/etc/rc.d/rc.local, you can add the “-q” option for reducing screen clutter. In my case, | will 
put the following configuration in the end of my rc. local file: 














/sbin/hdparm -q -c3 -d1l -X12 -xX68 -m16 -al6 -ul -W1 -k1 -K1 /dev/had 








NOTE: The latest realese of Red Hat Linux (7.1) now by default automatically optimizes your IDE 
hard drive. Therefore, you don’t have to configure it as shown above but | prefer to tell you this 
now to let you read this section and understand how hard disk optimization works with the 
hdparn tool of Linux. 
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6 Security and Optimization — Kernel Security & 
Optimization 
In this Chapter 


Making an emergency boot floppy 

Checking the /boot partition of Linux 

Tuning the Kernel 

Applying the Openwall kernel patch 

Cleaning up the Kernel 

Configuring the Kernel 

Compiling the Kernel 

Installing the Kernel 

Reconfiguring /etc/modules.conf file 

Delete programs, edit files pertaining to modules 
Remounting the /boot partition of Linux as read-only 
Rebooting your system to load the new kernel 
Making a new rescue floppy for Modularized Kernel 
Making a emergency boot floppy disk for Monolithic Kernel 
Optimizing Kernel 
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Linux Kernel 


Abstract 

Well, our Linux server seems to be getting in shape now! But wait, what is the most important part 
of our server? Yes, it’s the kernel. The Linux kernel is the core of our operating system, and 
without it there is no Linux at all. So we must take care of our kernel and configure it to fit our 
needs and compile just features we really need. 


The new generation of Linux Kernel 2.4 was seemingly written with the server in mind. Many of 
the old limits, which prevented Linux adoption in the “enterprise” market, have been lifted. The 
first thing to do next is to build a kernel that best suits your system. It’s very simple to do but, in 
any case, refer to the README file in the /usr/src/linux source directory after uncompressing 
the archive on your system. When configuring your kernel only compile in code that you need and 
use. Few main reasons that come to mind are: 














v_ The Kernel will be faster (less code to run), 
¥ You will have more memory (Kernel parts are NEVER swapped to the virtual memory), 
Y More stable (Ever probed for a non-existent card?), 


v Unnecessary parts can be used by an attacker to gain access to the machine or other 
machines on the network. 


v¥ Modules are also slower than support compiled directly in the kernel. 


In our configuration and compilation we will firstly show you how to build a monolithic kernel, 
which is the recommended method for better performance and a modularized kernel for 
easily portability between different Linux systems. Monolithic kernel means to only answer 
yes or no to the questions (don’t make anything modular) and omit the steps: make modules 
and make modules_install. 


Unfortunately with Linux kernel 2.4 generation, patching our new kernel with the buffer overflow 
protection from Openwall kernel patches will not work since the Openwall project announced that 
Linux 2.4 is NOT going to be supported until 2.4.10 or so. Patches for the Linux kernel exist, like 
Solar Designer's non-executable stack patch, which disallows the execution of code on the stack, 
making a number of buffer overflow attacks harder - and defeating completely a number of 
current exploits used by "script kiddies" worldwide. 


These installation instructions assume 

Commands are Unix-compatible. 

The source path is /usr/src. 

Installations were tested on Red Hat Linux 7.1. 

All steps in the installation will happen using the super-user account “root”. 

Latest Kernel version number is 2.4.5 

Latest Secure Linux Kernel Patches version number is not available with this kernel. 
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Packages 
The following are based on information as listed by The Linux Kernel Archives as of 2001/05/26 
and by the Openwall project as of 2001/05/26. Please regularly check at www.kernel.org and 


www.openwall.com/linux/ for the latest status. 


Pristine source code is available from: 

Kernel Homepage: hitp://www.kernel.org/ 

Kernel FTP Site: 209.10.41.242 

You must be sure to download: linux-2.4.5.tar.gz 


Secure Linux Kernel Patches Homepage: http://www.openwall.com/linux/ 
Secure Linux Kernel Patches FTP Site: 195.42.162.180 
You must be sure to download: Not available at this time. 


Prerequisites 

Depending on whether you want a firewall or users quota support with your system, the Linux 
Kernel requires that the listed software below be already installed on your system to be able to 
compile successfully. If this is not the case, you must install them from your Linux CD-ROM or 
source archive files. Please make sure you have all of these programs installed on your system 
before proceeding with this chapter. 


¥ iptables package, is the new secure and more powerful program used by Linux to set 
up firewalls as well as TP masquerading in your system. Install this package if you want 
to support Firewalls in your server. 


Y quota package, is a system administration tool for monitoring and limiting users' and/or 
groups' disk usage, per file system. Install this package if you want a tool to control users 
directories sizes in your server. 


> To verify if iptables package is installed on your system, use the command: 
[root@deep /]# rpm -q iptables 
package iptables is not installed 


> To verify if quota package is installed on your system, use the command: 
[root@deep /]# rpm -q quota 
package quota is not installed 


e To mount your CD-ROM drive before installing the required packages, use the command: 
[root@deep /]# mount /dev/cdrom /mnt/cdrom/ 
had: ATAPI 32X CD-ROM drive, 128kB Cache 
mount: block device dev/cdrom is write-protected, mounting read-only 


e To install the iptables package on your Linux system, use the following command: 
[root@deep /]# cd /mnt/cdrom/RedHat /RPMS/ 
[root@deep RPMS]# rpm —-Uvh iptables-version.i386.rpm 
iptables HEHE HEH EH HE HE HE HE HEH HE EE EEE EE HEE EE EE HE EE HEH HE 


e To install the quota package on your Linux system, use the following command: 
[root@deep /]# ed /mnt/cdrom/RedHat /RPMS/ 
[root@deep RPMS]# rpm —-Uvh quota-version.i386.rpm 
quota HPT HE EEE RE EEE HE HE EEE EE HEH HE HE ERE EE HE EE HEE EE HE HEH 
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NOTE: For more information on Iptables Netfilter Firewall configuration or quota software, see 
further down there related chapter in this book. 





Making an emergency boot floppy 

The first pre-install step is to make an emergency boot floppy. Linux has a small utility named 
mkbootdisk to do this. The first step is to find out what kernel version you are currently using. 
Check out your /etc/lilo.conf file and see which image was booted from and from this 
image we can find the kernel version we need to make our emergency boot floppy. In my 
example, | have the following in the Lilo.conf file. 


[root@deep /]# cat /etc/lilo.conf 
boot=/dev/sda 

map=/boot/map 
install=/boot/boot.b 

timeout=00 

default=linux 

restricted 

password=mypasswd 


image=/boot/vmlinuz-2.4.2-2 € the kernel version 
label=linux € the image we booted from 
initrd=/boot/initrd-2.4.2-2.img 
read-only 
root=/dev/sda6 


Now you'll need to find the image that you booted from. On a standard new first install, it will be 
the one-labeled linux. In the above example we show that the machine booted using the 
/boot/vmlinuz-2.4.2-2 original kernel version of the system. Now we simply need to put a 
formatted 1.44 floppy in our system and execute the following command as root: 


[root@deep /]# mkbootdisk --device /dev/fd0H1440 2.4.2-2 
Insert a disk in /dev/fd0. Any information on the disk will be lost. 
Press <Enter> to continue or *C to abort: 





Following these guidelines, you will now have a boot floppy with a known working kernel in case 
of problems with the upgrade. | recommend rebooting the system with the floppy to make sure 
that the floppy works correctly. 


Checking the /boot partition of Linux 

It is important before going into the compilation and installation of a new kernel to check if the 
/bvoot file system of Linux is mounted as read-write. If you have follow the steps described in 
chapter related to “General System Security” under the section named “Mounting the /boot 
directory of Linux as read-only”, then your /boot file system is mounted as read-only. In this 
case we must remount it as read-write or you will not be able to install the new kernel on the 
system. To remount the /boot partition as read-write, follow the simple steps below. 
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Step1 
e §6Edit the fstab file (vi /etc/fstab) and change the line: 
LABEL=/boot /boot ext2 defaults,ro 12 
To read: 
LABEL=/boot /boot ext2 defaults 2 





We remove the “ro” option (read-only) from this line to specify to mount this partition as read- 
write. 


Step 2 
Make the Linux system aware about the modification you have made to the /etc/fstab file. 


e This can be accomplished with the following command: 
[root@deep /]# mount /boot -oremount 


e Then test your results or check the state of your /boot partition with the command: 
[root@deep /]# cat /proc/mounts 











/dev/root /  ext2 rw 0 0 
/proc/proc proc rw 0 0 

/dev/sdal /boot ext2 rw 0 0 
/dev/sdal0 /cache ext2 rw,nodev 0 0 
/dev/sda9 /chroot ext2 rw 0 0 
/dev/sda8 /home ext2 rw,nosuid 0 0 
/dev/sdal3 /tmp ext2 rw,noexec,nosuid 0 0 
/dev/sda7 /usr ext2 rw 0 0 
/dev/sdall /var ext2 rw 0 0 
/dev/sdal2 /var/lib ext2 rw 0 0 

none /dev/pts devpts rw 0 0 


If you see something like: /dev/sdal /boot ext2 rw 0 0, congratulations! 


Tuning the Kernel 

Ok first of all, it is important to copy the new kernel tar archive in the appropriate location on your 
server /usr/src and then remove the old kernel from your system before installing a new one. 
Removing the old kernel will not freeze your computer until you try to reboot it before installing the 
new one because the Linux kernel resides in memory. 


Step 1 
We must copy the archive file of the kernel to the /usr/src directory and move to this directory. 


e To copy the tar archive of the Linux kernel to the /usr/src directory, use the command: 
[root@deep /]# cp linux-version.tar.gz /usr/src/ 


e Tomove to the /usr/src directory, use the following command: 
[root@deep /]# ed /usr/src/ 


Step 2 
Depending on how the Linux Kernel has been previously installed on your system, there are two 
possibilities too uninstall it as shown below. 
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If you already have installed a Linux kernel with a tar archive before 

These steps are required only if you already have installed a Linux kernel with a tar archive 
before. If it is a first, fresh install of Linux kernel, then instead uninstall the kernel—-headers 
version.i386.rpm, kernel-version.i386.rpm packages that are on your system. 





e Move to the /usr/src directory if you are not already in it with the following command: 
root@deep /]# cd /usr/src/ 


e Remove the Linux symbolic link with the following command: 
root@deep src rm -f£ linux 


e Remove the Linux kernel headers directory with the following command: 
root@deep src rm -rf linux-2.4.x/ 


e Remove the Linux kernel with the following command: 
root@deep src rm -f£ /boot/vmlinuz-2.4.x 


e Remove the Linux System. map file with the following command: 
root@deep src rm -f£ /boot/System.map-2.4.x 


e Remove the Linux kernel modules directory (if available) with the following command: 
root@deep src rm -rf /1ib/modules/2.4.x/ 




















NOTE: Removing the old kernel modules is required only if you have installed a modularized 
kernel version before. If the modules directory doesn’t exist under the /1ib/modules 
directory, it's because your old kernel version is not a modularized kernel. 





If the original kernel’s RPM packages are installed on your system 

If the original kernel RPM packages are installed on your system instead of the Linux kernel tar 
archive, because you have just finished installing your new Linux system, or have used an RPM 
package before to upgrade your Linux system, then use the following command to uninstall the 
Linux kernel: 


e You can verify which kernel RPM packages are installed on your system with the 
following command: 
[root@deep src]# rpm -qa | grep kernel 
kernel-2.4.2-2 
kernel-headers-2.4.2-2 





The above command shows us that kernel and kernel-headers are the only kernel RPM 
packages installed on our system. We uninstall them as show below. 


e Touninstall the linux kernel RPM, use the following command: 
[root@deep src]# rpm -e --nodeps kernel kernel-headers 








NOTE: If you receive an error message like: cannot remove /lib/modules/2.4.x 
directory, directory not empty, then remove the directory manually with command like: 
rm -rf /lib/modules/2.4.x/ form your system. This directory is related to the old kernel 
and it is not required for the new kernel we want to install. 
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Step 3 

Once we have uninstalled the old kernel and after our new kernel tar archive has been copied to 
the /usr/src directory, we must uncompress it and remove the tar archive (1inux- 
version.tar.gz) from the system if we wish to conserve disk space. 


e Touncompress the kernel, use the following command: 
[root@deep src]# tar xzpf linux-version.tar.gz 


e Toremove the kernel tar archive from the system, use the following command: 
[root@deep src]# rm -f linux-version.tar.gz 








WARNING: If kernel compilation is something new for you, then it is recommended to keep the 
kernel tar archive (linux-version.tar.gz) until the end of the installation. In this way, if you 
make some mistake during compilation, you always have the source available to try again. 





Step 4 

Ok, the old kernel has been uninstalled from our system; we have copied the new one to its 
appropriate location and uncompressed it. Now, we must tune our new Linux kernel to the 
maximum of its capabilities. All optimizations shown below are just an increase of the default 
kernel parameters. 


e Edit the sem.hfile (vi +66 /usr/src/linux/include/linux/sem.h) and change 
the following parameter: 











#define SEMMNI 128 /* <= IPCMNI max # of semaphore identifiers */ 
To read: 
#define SEMMNI 512 /* <= IPCMNI max # of semaphore identifiers */ 


e 6 Editthe printk.cfile (vi +26 /usr/src/linux/kernel/printk.c) and change 
the following parameter: 


#define LOG_BUF_LEN (16384) 





To read: 


#define LOG _BUF_LEN (65536) 
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Step 5 

Finally, we must instruct the kernel to fit our specific CPU architecture and optimization flags. 
Depending of your CPU architecture and optimization flags, this step will improve the 
performance of the kernel. As an example with a Pll 400MHz the BogoMIPS will become 799.54 
instead of the default number of 400.00. Also take a note that it is not because BogoMIPS show 
you a number of 799.54 for a 400MHz CPU that your processor runs at this soeed now. The 
BogoMIPS result can just be considered as a benchmark since it was a meaningless benchmark 
measurement. 


e §=6Edit the Makefile file (vi +19 /usr/src/linux/Makefile) and change the line: 





HOSTCF LAGS = -Wall -Wstrict-prototypes -0O2 -fomit-frame-pointer 
To read: 
HOSTCFLAGS = -Wall -Wstrict-prototypes -03 -funroll-loops -fomit-— 


frame-pointer 


e =6Edit the Makefile file (vi +90 /usr/src/linux/Makefile) and change the line: 





CFLAGS := $(CPPFLAGS) -Wall -Wstrict-prototypes -O2 -fomit-—frame-pointer 
-fno-strict-aliasing 


To read: 


CFLAGS := $(CPPFLAGS) -Wall -Wstrict-prototypes -03 -funroll-loops - 
fomit-—frame-pointer -fno-strict-—aliasing 








WARNING: These changes turn on aggressive optimization tricks that may or may not work with all 
kernels. Please, if the optimization flags above do not work for you, don’t try to force it to work. | 
wouldn’t want to make your system unstable like Microsoft Windows. Also take a note that we are 
not specifying the “-march=1i686” option in the above lines since the kernel and related to what 
processor you will choose during kernel configuration will add automatically this option for you 
during compilation. 





Applying the Openwall kernel patch 

The Secure Linux Kernel patches from the Openwall Project are a great way to prevent attacks 
like Stack Buffer Overflows, and others. The Openwall patch is a collection of security-related 
features for the Linux kernel, all configurable via the new "Security options” configuration 
section that will be added to your new kernel. 


This patch may change from version to version, and some may contain various other security 
fixes. Unfortunately Openwall announced that Linux 2.4 is NOT going to be supported until 2.4.10 
or so. Below, I’m continuing to show you how to apply this security patch to the kernel in the 
eventuality that Openwall release a patch for kernel 2.4 generation. As you can see, | use a 
fictitious version for my example. 
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New features of patch version linux-2.4.5-ow1.tar.gz are: 
Non-executable user stack area 

Restricted links in /tmp 

Restricted FIFOs in /tmp 

Restricted /proc 

Special handling of fd 0, 1, and 2 

Enforce RLIMIT_NPROC on execve(2) 

Destroy shared memory segments not in use 








WARNING: When applying the linux-2.4.5-ow1 patch, a new “Security options” section will be 
added at the end of your kernel configuration. For more information and description of the 
different features available with this patch, see the README file that come with the source code of 
the patch. 

















e To apply the Openwall Secure Kernel Patch to the Linux kernel, use the commands: 
root@deep /]# cp linux-2.4.5-owl.tar.gz /usr/src/ 

root@deep /]# cd /usr/src/ 

root@deep src tar xzpf linux-2.4.5-owl.tar.gz 

root@deep src ed linux-2.4.5-owl1/ 

root@deep linux-2.4.5-owl]# mv linux-2.4.5-owl.diff /usr/src/ 
root@deep linux-2.4.5-owl]# cd .. 

root@deep src patch -pO < linux-2.4.5-owl.diff 

root@deep src rm -rf linux-2.4.5-owl 

root@deep src rm -f£ linux-2.4.5-owl.diff 

root@deep src rm -f linux-2.4.5-owl.tar.gz 














First we copy the program archive to the /usr/src directory, then we move to this directory and 
uncompress the linux-2.4.5-ow1.tar.gz archive. We then move to the new uncompressed Linux 
patch, move the file linux-2.4.5-ow1 .diff file containing the patch to the /usr/src, return to 
/usr/src and patch our kernel with the file linux-2.4.5-ow1 .diff. Afterwards, we remove all files 
related to the patch. 








WARNING: All security messages related to the linux-2.4.5-ow1 patch, like the non-executable 
stack part, should be logged to the log file /var/log/messages. The “Restricted links in /tmp” 
feature of this patch will make Mailing List like Mailman to not work properly on the system. The 
“Destroy shared memory segments not in use” feature of this patch will make SOL database 
like PostgreSQL to not work properly on the system but this seem to be ok with MySOL 
database now. So if you use or are intended to use one of these services, don’t enable the 
related feature during compilation of the Kernel. 





The step of patching your new kernel is completed. Now follow the rest of this installation to build 
the Linux kernel and reboot your system. 
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Cleaning up the Kernel 
It is important to be sure that your /usr/include/asm, and /usr/include/linux 
subdirectories are just symlinks to the kernel sources. 


Step 1 

The asm, and 1inux subdirectories are soft links to the real include kernel source header 
directories needed for our Linux architecture, for example /usr/src/linux/include/asm- 
1386 for asm. 


e Tosymlink the asm, and linux subdirectories to the kernel sources, type the following 


commands on your terminal: 

root@deep src]# ed /usr/include/ 

root@deep include]# rm -f asm linux 

root@deep include]# 1n -s /usr/srce/linux/include/asm-i386 asm 
root@deep include]# 1n -s /usr/sre/linux/include/linux linux 


This is a very important part of the configuration: we remove the asm, and linux directories 
under /usr/include then rebuild a new links that point to the same name directories under the 
new Linux kernel source version directory. The /usr/include directory contains important 
header files needed by your Linux kernel and programs to be able to compile on your system. 











WARNING: If the previously installed kernel in your system was made by RPM packages, then the 
asmand 1inux soft links will not exist since the uninstall of kernel-headers RPM package 
removes them automatically for you. Don’t forget to create them. 





Step 2 
Make sure you have no stale .o files and dependencies lying around. 


e Tobe sure that we have no stale .o files and dependencies lying around, type the 
following commands on your terminal: 
[root@deep include]# ed /usr/srce/linux/ 
[root@deep linux] # make mrproper 








NOTE: These two steps above simply clean up anything that might have accidentally been left in 
the source tree by the development team. 





You should now have the sources correctly installed. You can configure the Linux kernel in one of 
three ways. The first method is to use the make config command. It provides you with a text- 
based interface for answering all the configuration options. You are prompted for all the options 
you need to set up your kernel. 


The second method is to use the make menuconfig command, which provides all the kernel 
options in an easy-to-use menu. The third is to use the make xconfig command (only available 
if the graphical interface of Linux is installed on the system), which provides a full graphical 
interface to all the kernel options. 
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Step 3 

For configuration in this chapter, you will use the make config command because we have not 
installed the xF ree8 6 Window Interface on our Linux server or the necessary packages to use 
make menuconfig command. 


e Type the following commands on your terminal to load the kernel configuration: 
[root@deep /]# ed /usr/src/linux/ (if you are not already in this directory). 
[root@deep linux]# make config 
rm -f include/asm 
( cd include ; ln -sf asm-i386 asm) 

/bin/sh scripts/Configure arch/i386/config.in 
# 
# Using defaults found in arch/i386/defconfig 
# 


Configuring the Kernel 

As soon as you enter make config at the prompt as described in the previous step, a list of 
kernel configurable options will be displayed for you to choose to configure the kernel, you must 
indicate what features and devices drivers you want to include in your Linux system and select 
how to include support for specific devices. Typically, for each configuration option, you have to 
respond with one of the following choices: 


[y] To compile into the kernel and always be loaded. 
[m] To use a module for that feature and load that segment of code on demand. 
[n] To skip and excludes the support for that specific device from the kernel. 








WARNING: It is important to note that an n or y means the default choice. If a device does not have 
a modular device driver, you will not see the [m] option. Some time an [?] option will appear in 
the choices. This mean that you can get more information about the feature when you type the ? 
+ ENTER key. Choosing the [?] help option will opens another terminal describing the option. 





Monolithic kernel configuration 

As we know now, they are two possible different configurations for the kernel. The first is called a 
monolithic kernel the second is called a modularized kernel. Below we begin by 
showing you the configuration of amonolithic kernel which is to compile the required code 
and drivers directly into the kernel by answering the different kernel questions only by yes or no. 
Don’t forget to only compile code that you need and use. 


A new kernel is very specific to your computer hardware, in the monolithic kernel 
configuration part below; we assume the following hardware for our example. Of course you must 
change them to fit your system components. 


1 Pentium-lll 667 MHz (i686) processor 

1 Motherboard Asus P3V4X Pro 133Mhz EIDE 
1 Hard Disk Ultra ATA/66 EIDE 

1 Chipset Apollo Pro133A 

1 CD-ROM ATAPI IDE 

1 Floppy Disk 

2 Ethernet Cards 3COM 3c597 PCI 10/100 

1 Mouse PS/2 
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If you don’t want some options listed in the monolithic kernel configuration that | enable by 
default, answer n (for no) instead of y (for yes) to the related questions. If you want some other 
options that | disable, then answer y instead of n. 


In the configuration below, we tune our kernel for a Pentium III family i686 CPU processor, enable 
generic firewall support, to be able to implement IP TABLE Netfilter firewall feature on the system, 
as well as DMA support for IDE disk drive and disable SCSI disk support. We configure the kernel 
to work with a 3com Ethernet card, disable insecure NFS services, USB technology and sound 
features for our server. This kind of kernel configuration can be used for all kind of Linux server 
except for a system, which is supposed to run as a Gateway/Proxy Server by forwarding packets. 








rm -f include/asm 

(cd include ; In -sf asm-i386 asm) 

/bin/sh scripts/Configure arch/i386/config.in 
# 

# Using defaults found in arch/i386/defconfig 
# 


* 


" Code maturity level options 

Prompt for development and/or incomplete code/drivers (CONFIG_EXPERIMENTAL) [N/y/?] 
i Loadable module support 

Enable loadable module support (CONFIG_MODULES) [Y/n/?] n 

: Processor type and features 


Processor family (886, 486, 586/K5/5x86/6x86/6x86MX, Pentium-Classic, Pentium-MMX, Pentium- 
Pro/Celeron/Pentium-lI, Pentium-lll, Pentium-4, K6/K6-II/K6-IIl, Athlon/K7, Crusoe, Winchip-C6, Winchip-2, 
Winchip-2A/Winchip-3) [Pentium-II1] 
defined CONFIG_M686FXSR 
Toshiba Laptop support (CONFIG_TOSHIBA) [N/y/?] 
/dev/cpu/microcode - Intel IA82 CPU microcode support (CONFIG_MICROCODE) [N/y/?] 
/dev/cpu/*/msr - Model-specific register support (CONFIG_X86_MSR) [N/y/?] 
/dev/cpu/*/cpuid - CPU information support (CONFIG_X86_CPUID) [N/y/?] 
High Memory Support (off, 4GB, 64GB) [off] 
defined CONFIG_NOHIGHMEM 
MTRR (Memory Type Range Register) support (CONFIG_MTRR) [N/y/?] 
Symmetric multi-processing support (CONFIG_SMP) [Y/n/?] n 
APIC and IO-APIC support on uniprocessors (CONFIG_X86_UP_IOAPIC) [N/y/?] (NEW) y 


* General setup 


Networking support (CONFIG_NET) [Y/n/?] 
SGI Visual Workstation support (CONFIG_VISWS) [N/y/?] 
PCI support (CONFIG_PCIl) [Y/n/?] 
PCI access mode (BIOS, Direct, Any) [Any] 
defined CONFIG_PCI_GOANY 
PCI device name database (CONFIG_PCI_NAMES) [Y/n/?] n 
EISA support (CONFIG_EISA) [N/y/?] 
MCA support (CONFIG_MCA) [N/y/?] 
Support for hot-pluggable devices (CONFIG_HOTPLUG) [Y/n/?] n 
System V IPC (CONFIG_SYSVIPC) [Y/n/?] 
BSD Process Accounting (CONFIG_BSD_PROCESS_ACCT) [N/y/?] 
Sysctl support (CONFIG_SYSCTL) [Y/n/?] 
Kernel core (/proc/kcore) format (ELF, A.OUT) [ELF] 
defined CONFIG_KCORE_ELF 
Kernel support for a.out binaries (CONFIG_BINFMT_AOUT) [Y/n/?] 
Kernel support for ELF binaries (CONFIG_BINFMT_ELF) [Y/n/?] 
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Kernel support for MISC binaries (CONFIG_BINFMT_MISC) [Y/n/?] 
Power Management support (CONFIG_PM) [Y/n/?] n 


* Memory Technology Devices (MTD) 

Memory Technology Device (MTD) support (CONFIG_MTD) [N/y/?] 

* Parallel port support 

Parallel port support (CONFIG_PARPORT) [N/y/?] 

* Plug and Play configuration 

Plug and Play support (CONFIG_PNP) [Y/n/?] n 

* Block devices 

Normal PC floppy disk support (CONFIG_BLK_DEV_FD) [Y/m/n/?] 

XT hard disk support (CONFIG_BLK_DEV_XD) [N/y/m/?] 

Compaq SMART2 support (CONFIG_BLK_CPQ_DA) [N/y/m/?] 
Compag CISS Array support (CONFIG_BLK_CPQ_CISS_DA) [N/y/m/?] 
Mylex DAC960/DAC1100 PCI RAID Controller support (CONFIG_BLK_DEV_DAC960) [N/y/m/?] 
Loopback device support (CONFIG_BLK_DEV_LOOP) [N/y/m/?] 


Network block device support (CONFIG_BLK_DEV_NBD) [N/y/m/?] 
RAM disk support (CONFIG_BLK_DEV_RAM) [N/y/m/?] 





* Multi-device support (RAID and LVM) 
Multiple devices driver support (RAID and LVM) (CONFIG_MD) [N/y/?] 
* Networking options 


Packet socket (CONFIG_PACKET) [Y/m/n/?] 
Packet socket: mmapped IO (CONFIG_PACKET_MMAP) [N/y/?] y 
Kernel/User netlink socket (CONFIG_NETLINK) [N/y/?] y 
Routing messages (CONFIG_RTNETLINK) [N/y/?] (NEW) y 
Netlink device emulation (CONFIG_NETLINK_DEV) [N/y/m/?] (NEW) y 
Network packet filtering (replaces ipchains) (CONFIG_NETFILTER) [N/y/?] y 
Network packet filtering debugging (CONFIG_NETFILTER_DEBUG) [N/y/?] (NEW) y 
Socket Filtering (CONFIG_FILTER) [N/y/?] 
Unix domain sockets (CONFIG_UNIX) [Y/m/n/?] 
TCP/IP networking (CONFIG_INET) [Y/n/?] 
IP: multicasting (CONFIG_IP_MULTICAST) [Y/n/?] n 
IP: advanced router (CONFIG_IP_ADVANCED_ROUTER) [N/y/?] 
IP: kernel level autoconfiguration (CONFIG_IP_PNP) [N/y/?] 
IP: tunneling (CONFIG_NET_IPIP) [N/y/?] 
IP: GRE tunnels over IP (CONFIG_NET_IPGRE) [N/y/?] 
IP: TCP Explicit Congestion Notification support (CONFIG_INET_ECN) [N/y/?] 
IP: TCP syncookie support (disabled per default) (CONFIG_SYN_COOKIES) [N/y/?] y 


* 


* IP: Netfilter Configuration 
Connection tracking (required for masq/NAT) (CONFIG_IP_NF_CONNTRACK) [N/y/?] (NEW) 
IP tables support (required for filtering/masq/NAT) (CONFIG_IP_NF_IPTABLES) [N/y/?] (NEW) y 
limit match support (CONFIG_IP_NF_MATCH_LIMIT) [N/y/m/?] (NEW) y 
MAC address match support (CONFIG_IP_NF_MATCH_MAC) [N/y/m/?] (NEW) y 
netfilter MARK match support (CONFIG_IP_NF_MATCH_MARk) [N/y/m/?] (NEW) y 
Multiple port match support (CONFIG_IP_NF_MATCH_MULTIPORT) [N/y/m/?] (NEW) y 
TOS match support (CONFIG_IP_NF_MATCH_TOS) [N/y/m/?] (NEW) y 
tcpmss match support (CONFIG_IP_NF_MATCH_TCPMSS) [N/y/?] (NEW) y 
Packet filtering (CONFIG_IP_NF_FILTER) [N/y/m/?] (NEW) y 
REJECT target support (CONFIG_IP_NF_TARGET_REJECT) [N/y/m/?] (NEW) y 
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Packet mangling (CONFIG_IP_NF_MANGLE) [N/y/m/?] (NEW) y 

TOS target support (CONFIG_IP_NF_TARGET_TOS) [N/y/m/?] (NEW) y 

MARK target support (CONFIG_IP_NF_TARGET_MARK) [N/y/m/?] (NEW) y 
LOG target support (CONFIG_IP_NF_TARGET_LOG) [N/y/m/?] (NEW) y 
_TCPMSS target support (CONFIG_IP_NF_TARGET_TCPMSS) [N/y/m/?] (NEW) y 





* 


* 


The IPX protocol (CONFIG_IPX) [N/y/?] 

Appletalk protocol support (CONFIG_ATALK) [N/y/?] 
DECnet Support (CONFIG_DECNET) [N/y/?] 

802.1d Ethernet Bridging (CONFIG_BRIDGE) [N/y/?] 


: QoS and/or fair queuering 

Qos and/or fair queuring (EXPERIMENTAL) (CONFIG_NET_SCHED) [N/y/?] 

‘ Telephony Support 

Linux telephony support (CONFIG_PHONE) [N/y/?] 

: ATA/IDE/MFM/RLL support 

ATA/IDE/MFM/RLL support (CONFIG_IDE) [Y/n/?] 

* IDE, ATA and ATAPI Block devices 

Enhanced IDE/MFM/RLL disk/cdrom/tape/floppy support (CONFIG_BLK_DEV_IDE) [Y/n/?] 
: Please see Documentation/ide.txt for help/info on IDE drives 


Use old disk-only driver on primary interface (CONFIG_BLK_DEV_HD_IDE) [N/y/?] 
Include IDE/ATA-2 DISK support (CONFIG_BLK_DEV_IDEDISk) [Y/n/?] 

Use multi-mode by default (CONFIG_IDEDISK_MULTI_MODE) [N/y/?] 
Include IDE/ATAPI CDROM support (CONFIG_BLK_DEV_IDECD) [Y/n/?] 
Include IDE/ATAPI TAPE support (CONFIG_BLK_DEV_IDETAPE) [N/y/?] 
Include IDE/ATAPI FLOPPY support (CONFIG_BLK_DEV_IDEFLOPPY) [N/y/?] 
SCSI emulation support (CONFIG_BLK_DEV_IDESCSI) [N/y/?] 


* IDE chipset support/bugfixes 


CMD640 chipset bugfix/support (CONFIG_BLK_DEV_CMD640) [Y/n/?] n 
RZ1000 chipset bugfix/support (CONFIG_BLK_DEV_RZ1000) [Y/n/?] n 
Generic PCI IDE chipset support (CONFIG_BLK_DEV_IDEPCI) [Y/n/?] 
Sharing PCI IDE interrupts support (CONFIG_IDEPCI_SHARE_IRQ) [Y/n/?] 
Generic PCI bus-master DMA support (CONFIG_BLK_DEV_IDEDMA_PCl) [N/y/?] y 
Boot off-board chipsets first support (CONFIG_BLK_DEV_OFFBOARD) [N/y/?] 
Use PCI DMA by default when available (CONFIG_IDEDMA_PCI_AUTO) [N/y/?] y 
AEC62XxX chipset support (CONFIG_BLK_DEV_AEC62XxX) [N/y/?] 
ALI M15x3 chipset support (CONFIG_BLK_DEV_ALI15X3) [N/y/?] 
AMD Viper support (CONFIG_BLK_DEV_AMD7409) [N/y/?] 
CMD64X chipset support (CONFIG_BLK_DEV_CMD64X) [N/y/?] 
CY82C693 chipset support (CONFIG_BLK_DEV_CY82C693) [N/y/?] 
Cyrix CS5530 MediaGX chipset support (CONFIG_BLK_DEV_CS5530) [N/y/?] 
HPT34X chipset support (CONFIG_BLK_DEV_HPT34X) [N/y/?] 
HPT366 chipset support (CONFIG_BLK_DEV_HPT366) [N/y/?] 
Intel PIIXn chipsets support (CONFIG_BLK_DEV_PIIX) [N/y/?] 
NS87415 chipset support (EXPERIMENTAL) (CONFIG_BLK_DEV_NS87415) [N/y/?] 
PROMISE PDC20246/PDC20262/PDC20267 support (CONFIG_BLK_DEV_PDC202XxX) [N/y/?] 
ServerWorks OSB4 chipset support (CONFIG_BLK_DEV_OSB4) [N/y/?] 
SiS5513 chipset support (CONFIG_BLK_DEV_SIS5513) [N/y/?] 
SLC90E66 chipset support (CONFIG_BLK_DEV_SLC90E66) [N/y/?] 





129 


Kernel Security & Optimization | 0 
CHAPTER |6 


Tekram TRM290 chipset support (EXPERIMENTAL) (CONFIG_BLK_DEV_TRM290) [N/y/?] 
VIA82CXXX chipset support (CONFIG_BLK_DEV_VIA82CXXxX) [N/y/?] y 

Other IDE chipset support (CONFIG_IDE_CHIPSETS) [N/y/?] 

IGNORE word93 Validation BITS (CONFIG_IDEDMA_IVB) [N/y/?] (NEW) 


; SCSI support 

SCSI support (CONFIG_SCSI) [Y/n/?] n 

: 120 device support 

120 support (CONFIG_I2O) [N/y/?] 

: Network device support 

Network device support (CONFIG_NETDEVICES) [Y/n/?] 


* ARCnet devices 

ARCnet support (CONFIG_ARCNET) [N/y/?] 

Dummy net driver support (CONFIG_DUMMY) [Y/n/?] 

Bonding driver support (CONFIG_BONDING) [N/y/?] 

EQL (serial line load balancing) support (CONFIG_EQUALIZER) [N/y/?] 
Universal TUN/TAP device driver support (CONFIG_TUN) [N/y/?] 
General Instruments Surfboard 1000 (CONFIG_NET_SB1000) [N/y/?] 


* Ethernet (10 or 100Mbit) 


Ethernet (10 or 100Mbit) (CONFIG_NET_ETHERNET) [Y/n/?] 
3COM cards (CONFIG_NET_VENDOR_3COM) [N/y/?] y 
3c501 "EtherLink" support (CONFIG_EL1) [N/y/?] (NEW) 
3c503 "EtherLink II" support (CONFIG_EL2) [N/y/?] (NEW) 
3c505 "EtherLink Plus" support (CONFIG_ELPLUS) [N/y/?] (NEW) 
3c509/3c529 (MCA)/3c579 "EtherLink III" support (CONFIG_EL3) [N/y/?] (NEW) 
3c515 ISA "Fast EtherLink" (CONFIG_3C515) [N/y/?] (NEW) 
3c590/3c900 series (592/595/597) "Vortex/Boomerang" support (CONFIG_VORTEX) [N/y/?] (NEW) y 
AMD LANCE and PCnet (AT1500 and NE2100) support (CONFIG_LANCE) [N/y/?] 
Western Digital/SMC cards (CONFIG_NET_VENDOR_SMC) [N/y/?] 
Racal-Interlan (Micom) NI cards (CONFIG_NET_VENDOR_RACAL) [N/y/?] 
DEPCA, DE10x, DE200, DE201, DE202, DE422 support (CONFIG_DEPCA) [N/y/?] 
HP 10/100VG PCLAN (ISA, EISA, PCl) support (CONFIG_HP100) [N/y/?] 
Other ISA cards (CONFIG_NET_ISA) [N/y/?] 
EISA, VLB, PCI and on board controllers (CONFIG_NET_PCl) [Y/n/?] n 
Pocket and portable adapters (CONFIG_NET_POCKET) [N/y/?] 


* 


* Ethernet (1000 Mbit) 

Alteon AceNIC/3Com 3C985/NetGear GA620 Gigabit support (CONFIG_ACENIC) [N/y/?] 
Packet Engines Hamachi GNIC-II support (CONFIG_HAMACHI) [N/y/?] 

SysKonnect SK-98xx support (CONFIG_SK98LIN) [N/y/?] 

FDDI driver support (CONFIG_FDDI) [N/y/?] 

PPP (point-to-point protocol) support (CONFIG_PPP) [N/y/?] 

SLIP (serial line) support (CONFIG_SLIP) [N/y/?] 

* Wireless LAN (non-hamradio) 

Wireless LAN (non-hamradio) (CONFIG_NET_RADIO) [N/y/?] 

* Token Ring devices 


Token Ring driver support (CONFIG_TR) [N/y/?] 
Fibre Channel driver support (CONFIG_NET_FC) [N/y/?] 
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* Wan interfaces 
Wan interfaces support (CONFIG_WAN) [N/y/?] 
* Amateur Radio support 
Amateur Radio support (CONFIG_HAMRADIO) [N/y/?] 
* IrDA (infrared) support 
IrDA subsystem support (CONFIG_IRDA) [N/y/?] 
* ISDN subsystem 
ISDN support (CONFIG_ISDN) [N/y/?] 
* Old CD-ROM drivers (not SCSI, not IDE) 
Support non-SCSI/IDE/ATAPI CDROM drives (CONFIG_CD_NO_IDESCSI) [N/y/?] 
* Input core support 
Input core support (CONFIG_INPUT) [N/y/?] 
* Character devices 
Virtual terminal (CONFIG_VT) [Y/n/?] 
Support for console on virtual terminal (CONFIG_VT_CONSOLE) [Y/n/?] 
Standard/generic (8250/16550 and compatible UARTs) serial support (CONFIG_SERIAL) [Y/n/?] 
Support for console on serial port (CONFIG_SERIAL_CONSOLE) [N/y/?] 
Extended dumb serial driver options (CONFIG_SERIAL_EXTENDED) [N/y/?] 
Non-standard serial port support (CONFIG_SERIAL_NONSTANDARD) [N/y/?] 
Unix98 PTY support (CONFIG_UNIX98_PTYS) [Y/n/?] 
Maximum number of Unix98 PTYs in use (0-2048) (CONFIG_UNIX98_PTY_COUNT) [256] 128 
*12C support 
12C support (CONFIG_I2C) [N/y/?] 
* Mice 
Bus Mouse Support (CONFIG_BUSMOUSE) [N/y/?] 
Mouse Support (not serial and bus mice) (CONFIG_MOUSE) [Y/n/?] 
PS/2 mouse (aka "auxiliary device") support (CONFIG_PSMOUSE) [Y/n/?] 
C&T 82C710 mouse port support (as on TI Travelmate) (CONFIG_82C710_MOUSE) [N/y/?] 
PC110 digitizer pad support (CONFIG_PC110_PAD) [N/y/?] 
* Joysticks 
QIC-02 tape support (CONFIG_QIC02_ TAPE) [N/y/?] 
* Watchdog Cards 
Watchdog Timer Support (CONFIG_WATCHDOG) [N/y/?] 
Intel i8x0 Random Number Generator support (CONFIG_INTEL_RNG) [N/y/?] 
/dev/nvram support (CONFIG_NVRAM) [N/y/?] 
Enhanced Real Time Clock Support (CONFIG_RTC) [N/y/?] 
Double Talk PC internal speech card support (CONFIG_DTLKk) [N/y/?] 


Siemens R3964 line discipline (CONFIG_R3964) [N/y/?] 
Applicom intelligent fieldbus card support (CONFIG_APPLICOM) [N/y/?] 
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* Ftape, the floppy tape device driver 


Ftape (QIC-80/Travan) support (CONFIG_FTAPE) [N/y/?] 
/dev/agpgart (AGP Support) (CONFIG_AGP) [Y/m/n/?] n 
Direct Rendering Manager (XFree86 DRI support) (CONFIG_DRM) [Y/n/?] n 


* Multimedia devices 
Video For Linux (CONFIG_VIDEO_DEV) [N/y/?] 
* File systems 


Quota support (CONFIG_QUOTA) [N/y/?] 
Kernel automounter support (CONFIG_AUTOFS_FS) [N/y/?] 
Kernel automounter version 4 support (also supports v3) (CONFIG_AUTOFS4_ FS) [Y/n/?] n 
DOS FAT fs support (CONFIG_FAT_FS) [N/y/?] 
Compressed ROM file system support (CONFIG_CRAMFS) [N/y/?] 
Simple RAM-based file system support (CONFIG_RAMFS) [N/y/?] 
ISO 9660 CDROM file system support (CONFIG_ISO9660_FS) [Y/n/?] 
Microsoft Joliet CDROM extensions (CONFIG_JOLIET) [N/y/?] 
Minix fs support (CONFIG_MINIX_FS) [N/y/?] 
NTFS file system support (read only) (CONFIG_NTFS_FS) [N/y/?] 
OS/2 HPFS file system support (CONFIG_HPFS_FS) [N/y/?] 
/proc file system support (CONFIG_PROC_FS) [Y/n/?] 
/dev/pts file system for Unix98 PTYs (CONFIG_DEVPTS_FS) [Y/n/?] 
ROM file system support (CONFIG_ROMFS_FS) [N/y/?] 
Second extended fs support (CONFIG_EXT2_FS) [Y/n/?] 
System V and Coherent file system support (read only) (CONFIG_SYSV_FS) [N/y/?] 
UDF file system support (read only) (CONFIG_UDF_FS) [N/y/?] 
UFS file system support (read only) (CONFIG_UFS_FS) [N/y/?] 


* Network File Systems 


Coda file system support (advanced network fs) (CONFIG_CODA_FS) [N/y/?] 

NFS file system support (CONFIG_NFS_FS) [Y/n/?] n 

NFS server support (CONFIG_NFSD) [Y/n/?] n 

SMB file system support (to mount Windows shares etc.) (CONFIG_SMB_FS) [N/y/?] 
NCP file system support (to mount NetWare volumes) (CONFIG_NCP_FS) [N/y/?] 


* Partition Types 
Advanced partition selection (CONFIG_PARTITION_ADVANCED) [N/y/?] 
* Console drivers 


VGA text console (CONFIG_VGA_CONSOLE) [Y/n/?] 
Video mode selection support (CONFIG_VIDEO_SELECT) [N/y/?] 


* Sound 
Sound card support (CONFIG_SOUND) [Y/n/?] n 


(Security options will appear only if you are patched your kernel with the Openwall Project patch). 
* Security options 


Non-executable user stack area (CONFIG_SECURE_STACK) [Y] 

Autodetect and emulate GCC trampolines (CONFIG_SECURE_STACK_SMART) [Y] 
Restricted links in /tmp (CONFIG_SECURE_LINk) [Y] n 

Restricted FIFOs in /tmp (CONFIG_SECURE_FIFO) [Y] 

Restricted /proc (CONFIG_SECURE_PROC) [N] y 

Special handling of fd 0, 1, and 2 (CONFIG_SECURE_FD_0_1_2) [Y] 


Enforce RLIMIT_NPROC on execve(2) (CONFIG_SECURE_RLIMIT_NPROC) [Y] 
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Destroy shared memory segments not in use (CONFIG_SECURE_SHM™) [N] 
: USB support 

Support for USB (CONFIG_USB) [Y/n/?] n 

: Kernel hacking 

Magic SysRq key (CONFIG_MAGIC_SYSRQ) [N/y/?] 

*““ End of Linux kernel configuration. 


*" Check the top-level Makefile for additional configuration. 
*** Next, you must run 'make dep. 








WARNING: If you want to enable IPTABLES support into the kernel, the iptables program must 
be installed first or you will receive error messages during kernel compilation. This is because 
when iptables support is enabled, the kernelwill associate some part of the iptables 
program with it configuration. Therefore don’t forget to install ITPTABLES before configuring kernel 
with IPTABLES support. Finally the same warning is true for quota support into the kernel. 














Modularized kernel configuration 

Building kernel with modules (modularized kernel) has some advantages. It allow easy 
portability between different Linux systems, since you can choose and build different parts of the 
kernel as a module and load that segment of code on demand. Below we show you the 
configuration of modularized kernel, which is to compile some needed codes and drivers as 
a module into the kernel by answering to the different questions by y, n or m. As for the previous 
monolithic kernel configuration, don’t forget to only compile code that you need and use. 


A new kernel is very specific to your computer hardware, in the modularized kernel 
configuration part below; we assume the following hardware for our example. Of course you must 
change them to fit your system components. 


1 Pentium Il 400 MHz (i686) processor 

1 SCSI Motherboard 

1 SCSI Hard Disk 

1 SCSI Controler Adaptec AIC 7xxx 

1 CD-ROM ATAPI IDE 

1 Floppy Disk 

2 Ethernet Cards Intel EtherExpressPro 10/100 
1 Mouse PS/2 


If you don’t want some options listed in the modularized kernel configuration that | enable by 


default, answer n (for no) instead of y (for yes) or m (for modularized if possible) to the related 
questions. If you want some other options that | disable, then answer y or minstead of n. 
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In the configuration below, we have enable loadable module support in the kernel, tune our kernel 
for a Pentium II family i686 CPU processor, enable full Firewall Netfilter with masquerading and 
forwarding support. This is a perfect configuration if you want to run your system as a 
Gateway/Proxy Server since it will be capable to forward and redistribute network packet. After 
that, we enable DMA support for IDE disk drives since our CD-ROM in this example is an IDE 
model (if your system is pure SCSI we can disable support for IDE and DMA) and enable scsi 
disk support for Adaptec AIC7xxx model. We configure the kernel to work with Intel 
EtherExpressPro/100 network cards, disable insecure NFS services, USB technology and sound 
features for our Linux server. 











rm -f include/asm 

(cd include ; In -sf asm-i386 asm) 

/bin/sh scripts/Configure arch/i386/config.in 
# 

# Using defaults found in arch/i386/defconfig 
# 


* 


* Code maturity level options 
Prompt for development and/or incomplete code/drivers (CONFIG_EXPERIMENTAL) [N/y/?] 
* Loadable module support 


Enable loadable module support (CONFIG_MODULES) [Y/n/?] 
Set version information on all module symbols (CONFIG_MODVERSIONS) [Y/n/?] n 
Kernel module loader (CONFIG_KMOD) [Y/n/?] 


* Processor type and features 


Processor family (886, 486, 586/K5/5x86/6x86/6x86MX, Pentium-Classic, Pentium-MMX, Pentium- 
Pro/Celeron/Pentium-lI, Pentium-lll, Pentium-4, K6/K6-II/K6-III, Athlon/K7, Crusoe, Winchip-C6, Winchip-2, 
Winchip-2A/Winchip-3) [Pentium-III] Pentium-Pro/Celeron/Pentium-lIl 
defined CONFIG_M686 
Toshiba Laptop support (CONFIG_TOSHIBA) [N/y/m/?] 
/dev/cpu/microcode - Intel [A832 CPU microcode support (CONFIG_MICROCODE) [N/y/m/?] 
/dev/cpu/*/msr - Model-specific register support (CONFIG_X86_MSR) [N/y/m/?] 
/dev/cpu/*/cpuid - CPU information support (CONFIG_X86_CPUID) [N/y/m/?] 
High Memory Support (off, 4GB, 64GB) [off] 
defined CONFIG_NOHIGHMEM 
Math emulation (CONFIG_MATH_EMULATION) [N/y/?] (NEW) 
MTRR (Memory Type Range Register) support (CONFIG_MTRR) [N/y/?] 
Symmetric multi-processing support (CONFIG_SMP) [Y/n/?] n 
APIC and IO-APIC support on uniprocessors (CONFIG_X86_UP_IOAPIC) [N/y/?] (NEW) y 


* General setup 


Networking support (CONFIG_NET) [Y/n/?] 
SGI Visual Workstation support (CONFIG_VISWS) [N/y/?] 
PCI support (CONFIG_PCIl) [Y/n/?] 
PCI access mode (BIOS, Direct, Any) [Any] 
defined CONFIG_PCI_GOANY 
PCI device name database (CONFIG_PCI_NAMES) [Y/n/?] n 
EISA support (CONFIG_EISA) [N/y/?] 
MCA support (CONFIG_MCA) [N/y/?] 
Support for hot-pluggable devices (CONFIG_HOTPLUG) [Y/n/?] n 
System V IPC (CONFIG_SYSVIPC) [Y/n/?] 
BSD Process Accounting (CONFIG_BSD_PROCESS_ACCT) [N/y/?] 
Sysctl support (CONFIG_SYSCTL) [Y/n/?] 
Kernel core (/proc/kcore) format (ELF, A.OUT) [ELF] 
defined CONFIG_KCORE_ELF 
Kernel support for a.out binaries (CONFIG_BINFMT_AOUT) [Y/m/n/?] 
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Kernel support for ELF binaries (CONFIG_BINFMT_ELF) [Y/m/n/?] 
Kernel support for MISC binaries (CONFIG_BINFMT_MISC) [Y/m/n/?] 
Power Management support (CONFIG_PM) [Y/n/?] n 


* Memory Technology Devices (MTD) 

Memory Technology Device (MTD) support (CONFIG_MTD) [N/y/m/?] 

* Parallel port support 

Parallel port support (CONFIG_PARPORT) [N/y/m/?] 

* Plug and Play configuration 

Plug and Play support (CONFIG_PNP) [Y/m/n/?] n 

* Block devices 

Normal PC floppy disk support (CONFIG_BLK_DEV_FD) [Y/m/n/?] 

XT hard disk support (CONFIG_BLK_DEV_XD) [N/y/m/?] 

Compaq SMART2 support (CONFIG_BLK_CPQ_DA) [N/y/m/?] 
Compag CISS Array support (CONFIG_BLK_CPQ_CISS_DA) [N/y/m/?] 
Mylex DAC960/DAC1100 PCI RAID Controller support (CONFIG_BLK_DEV_DAC960) [N/y/m/?] 
Loopback device support (CONFIG_BLK_DEV_LOOP) [N/y/m/?] 


Network block device support (CONFIG_BLK_DEV_NBD) [N/y/m/?] 
RAM disk support (CONFIG_BLK_DEV_RAM) [N/y/m/?] 





* Multi-device support (RAID and LVM) 
Multiple devices driver support (RAID and LVM) (CONFIG_MD) [N/y/?] 
* Networking options 


Packet socket (CONFIG_PACKET) [Y/m/n/?] 
Packet socket: mmapped IO (CONFIG_PACKET_MMAP) [N/y/?] y 
Kernel/User netlink socket (CONFIG_NETLINK) [N/y/?] y 
Routing messages (CONFIG_RTNETLINK) [N/y/?] (NEW) y 
Netlink device emulation (CONFIG_NETLINK_DEV) [N/y/m/?] (NEW) y 
Network packet filtering (replaces ipchains) (CONFIG_NETFILTER) [N/y/?] y 
Network packet filtering debugging (CONFIG_NETFILTER_DEBUG) [N/y/?] (NEW) y 
Socket Filtering (CONFIG_FILTER) [N/y/?] 
Unix domain sockets (CONFIG_UNIX) [Y/m/n/?] 
TCP/IP networking (CONFIG_INET) [Y/n/?] 
IP: multicasting (CONFIG_IP_MULTICAST) [Y/n/?] n 
IP: advanced router (CONFIG_IP_ADVANCED_ROUTER) [N/y/?] y 
IP: policy routing (CONFIG_IP_MULTIPLE_TABLES) [N/y/?] (NEW) y 
IP: use netfilter MARK value as routing key (CONFIG_IP_ROUTE_FWMARK) [N/y/?] (NEW) y 
IP: fast network address translation (CONFIG_IP_ROUTE_NAT) [N/y/?] (NEW) y 
IP: equal cost multipath (CONFIG_IP_ROUTE_MULTIPATH) [N/y/?] (NEW) y 
IP: use TOS value as routing key (CONFIG_IP_ROUTE_TOS) [N/y/?] (NEW) y 
IP: verbose route monitoring (CONFIG_IP_ROUTE_VERBOSE) [N/y/?] (NEW) y 
IP: large routing tables (CONFIG_IP_ROUTE_LARGE_TABLES) [N/y/?] (NEW) y 
IP: kernel level autoconfiguration (CONFIG_IP_PNP) [N/y/?] 
IP: tunneling (CONFIG_NET_IPIP) [N/y/m/?] 
IP: GRE tunnels over IP (CONFIG_NET_IPGRE) [N/y/m/?] 
IP: TCP Explicit Congestion Notification support (CONFIG_INET_ECN) [N/y/?] 
IP: TCP syncookie support (disabled per default) (CONFIG_SYN_COOKIES) [N/y/?] y 


* 


* IP: Netfilter Configuration 
Connection tracking (required for masq/NAT) (CONFIG_IP_NF_CONNTRACK) [N/y/m/?] (NEW) m 
FTP protocol support (CONFIG_IP_NF_FTP) [N/m/?] (NEW) m 
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IP tables support (required for filtering/masq/NAT) (CONFIG_IP_NF_IPTABLES) [N/y/m/?] (NEW) m 
limit match support (CONFIG_IP_NF_MATCH_LIMIT) [N/m/?] (NEW) m 
MAC address match support (CONFIG_IP_NF_MATCH_MAC) [N/m/?] (NEW) m 
netfilter MARK match support (CONFIG_IP_NF_MATCH_MARk) [N/m/?] (NEW) m 
Multiple port match support (CONFIG_IP_NF_MATCH_MULTIPORT) [N/m/?] (NEW) m 
TOS match support (CONFIG_IP_NF_MATCH_TOS) [N/m/?] (NEW) m 
tcpmss match support (CONFIG_IP_NF_MATCH_TCPMSS) [N/m/?] (NEW) m 
Connection state match support (CONFIG_IP_NF_MATCH_STATE) [N/m/?] (NEW) m 
Packet filtering (CONFIG_IP_NF_FILTER) [N/m/?] (NEW) m 
REJECT target support (CONFIG_IP_NF_TARGET_REJECT) [N/m/?] (NEW) m 
Full NAT (CONFIG_IP_NF_NAT) [N/m/?] (NEW) m 
MASQUERADE target support (CONFIG_IP_NF_TARGET_MASQUERADE) [N/m/?] (NEW) m 
REDIRECT target support (CONFIG_IP_NF_TARGET_REDIRECT) [N/m/?] (NEW) m 
Packet mangling (CONFIG_IP_NF_MANGLE) [N/m/?] (NEW) m 
TOS target support (CONFIG_IP_NF_TARGET_TOS) [N/m/?] (NEW) m 
MARK target support (CONFIG_IP_NF_TARGET_MARk) [N/m/?] (NEW) m 
LOG target support (CONFIG_IP_NF_TARGET_LOG) [N/m/?] (NEW) m 
TCPMSS target support (CONFIG_IP_NF_TARGET_TCPMSS) [N/m/?] (NEW) m 
ipchains (2.2-style) support (CONFIG_IP_NF_COMPAT_IPCHAINS) [N/y/m/?] (NEW) 
ipfwadm (2.0-style) support (CONFIG_IP_NF_COMPAT_IPFWADM) [N/y/m/?] (NEW) 


























* 


* 


The IPX protocol (CONFIG_IPX) [N/y/m/?] 

Appletalk protocol support (CONFIG_ATALK) [N/y/m/?] 
DECnet Support (CONFIG_DECNET) [N/y/m/?] 

802.1d Ethernet Bridging (CONFIG_BRIDGE) [N/y/m/?] 


* QoS and/or fair queuering 
QoS and/or fair queuring (EXPERIMENTAL) (CONFIG_NET_SCHED) [N/y/?] 
* Telephony Support 
Linux telephony support (CONFIG_PHONE) [N/y/m/?] 
* ATA/IDE/MFM/RLL support 
ATA/IDE/MFM/RLL support (CONFIG_IDE) [Y/m/n/?] m 
* IDE, ATA and ATAPI Block devices 
Enhanced IDE/MFM/RLL disk/cdrom/tape/floppy support (CONFIG_BLK_DEV_IDE) [M/n/?] 
* Please see Documentation/ide.txt for help/info on IDE drives 
Use old disk-only driver on primary interface (CONFIG_BLK_DEV_HD_IDE) [N/y/?] 
Include IDE/ATA-2 DISK support (CONFIG_BLK_DEV_IDEDISk) [M/n/?] 
Use multi-mode by default (CONFIG_IDEDISK_MULTI_MODE) [N/y/?] 
Include IDE/ATAPI CDROM support (CONFIG_BLK_DEV_IDECD) [M/n/?] 
Include IDE/ATAPI TAPE support (CONFIG_BLK_DEV_IDETAPE) [N/y/m/?] 
Include IDE/ATAPI FLOPPY support (CONFIG_BLK_DEV_IDEFLOPPY) [N/y/m/?] 
SCSI emulation support (CONFIG_BLK_DEV_IDESCSI) [N/y/m/?] 
* IDE chipset support/bugfixes 
CMD640 chipset bugfix/support (CONFIG_BLK_DEV_CMD640) [Y/n/?] n 
RZ1000 chipset bugfix/support (CONFIG_BLK_DEV_RZ1000) [Y/n/?] n 
Generic PCI IDE chipset support (CONFIG_BLK_DEV_IDEPCI) [Y/n/?] 
Sharing PCI IDE interrupts support (CONFIG_IDEPCI_SHARE_IRQ) [Y/n/?] 


Generic PCI bus-master DMA support (CONFIG_BLK_DEV_IDEDMA_PCl) [N/y/?] y 
Boot off-board chipsets first support (CONFIG_BLK_DEV_OFFBOARD) [N/y/?] 
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Use PCI DMA by default when available (CONFIG_IDEDMA_PCI_AUTO) [N/y/?] y 
AEC62XX chipset support (CONFIG_BLK_DEV_AEC62XX) [N/y/?] 
ALI M15x3 chipset support (CONFIG_BLK_DEV_ALI15X3) [N/y/?] 
AMD Viper support (CONFIG_BLK_DEV_AMD7409) [N/y/?] 
CMD64X chipset support (CONFIG_BLK_DEV_CMD64X) [N/y/?] 
CY82C693 chipset support (CONFIG_BLK_DEV_CY82C693) [N/y/?] 
Cyrix CS5530 MediaGX chipset support (CONFIG_BLK_DEV_CS5530) [N/y/?] 
HPT34X chipset support (CONFIG_BLK_DEV_HPT34X) [N/y/?] 
HPT366 chipset support (CONFIG_BLK_DEV_HPT366) [N/y/?] 
Intel PIIXn chipsets support (CONFIG_BLK_DEV_PIIX) [N/y/?] 
NS87415 chipset support (EXPERIMENTAL) (CONFIG_BLK_DEV_NS87415) [N/y/?] 
PROMISE PDC20246/PDC20262/PDC20267 support (CONFIG_BLK_DEV_PDC202XxX) [N/y/?] 
ServerWorks OSB4 chipset support (CONFIG_BLK_DEV_OSB4) [N/y/?] 
SiS5513 chipset support (CONFIG_BLK_DEV_SIS5513) [N/y/?] 
SLC90E66 chipset support (CONFIG_BLK_DEV_SLC90E66) [N/y/?] 
Tekram TRM290 chipset support (EXPERIMENTAL) (CONFIG_BLK_DEV_TRM290) [N/y/?] 
VIA82CXXxX chipset support (CONFIG_BLK_DEV_VIA82CXXxX) [N/y/?] 
Other IDE chipset support (CONFIG_IDE_CHIPSETS) [N/y/?] 
IGNORE word93 Validation BITS (CONFIG_IDEDMA_IVB) [N/y/?] (NEW) 


* SCSI support 
SCSI support (CONFIG_SCSI) [Y/m/n/?] 
* SCSI support type (disk, tape, CD-ROM) 


SCSI disk support (CONFIG_BLK_DEV_SD) [Y/m/n/?] 

Maximum number of SCSI disks that can be loaded as modules (CONFIG_SD_EXTRA_DEVS) [40] 
SCSI tape support (CONFIG_CHR_DEV_ST) [N/y/m/?] 

SCSI OnStream SC-x0 tape support (CONFIG_CHR_DEV_OSST) [N/y/m/?] 

SCSI CD-ROM support (CONFIG_BLK_DEV_SR) [N/y/m/?] 

SCSI generic support (CONFIG_CHR_DEV_SG) [N/y/m/?] 


* Some SCSI devices (e.g. CD jukebox) support multiple LUNs 


Enable extra checks in new queueing code (CONFIG_SCSI_DEBUG_QUEUES) [Y/n/?] n 
Probe all LUNs on each SCSI device (CONFIG_SCSI_MULTI_LUN) [Y/n/?] n 

Verbose SCSI error reporting (kernel size +=12K) (CONFIG_SCSI_CONSTANTS) [Y/n/?] n 
SCSI logging facility (CONFIG_SCSI_LOGGING) [N/y/?] 


* SCSI low-level drivers 


3ware Hardware ATA-RAID support (CONFIG_BLK_DEV_3W_XXXX_RAID) [N/y/m/?] 
7000FASST SCSI support (CONFIG_SCSI_7000FASST) [N/y/m/?] 
ACARD SCSI support (CONFIG_SCSI_ACARD) [N/y/m/?] 
Adaptec AHA152X/2825 support (CONFIG_SCSI_AHA152X) [N/y/m/?] 
Adaptec AHA1542 support (CONFIG_SCSI_AHA1542) [N/y/m/?] 
Adaptec AHA1740 support (CONFIG_SCSI_AHA1740) [N/y/m/?] 
Adaptec AlC7xxx support (CONFIG_SCSI_AIC7XXX) [N/y/m/?] y 
Enable Tagged Command Queueing (TCQ) by default (CONFIG_AIC7XXX_TCQ_ON_BY_DEFAULT) 
[N/y/?] (NEW) y 
Maximum number of TCQ commands per device (CONFIG_AIC7XXX_CMDS_PER_DEVICE) [8] (NEW) 
Collect statistics to report in /proc (CONFIG_AIC7XXX_PROC_STATS) [N/y/?] (NEW) 
Delay in seconds after SCSI bus reset (CONFIG_AIC7XXX_RESET_DELAY) [5] (NEW) 
AdvanSys SCSI support (CONFIG_SCSI_ADVANSYS) [N/y/m/?] 
Always IN2000 SCSI support (CONFIG_SCSI_IN2000) [N/y/m/?] 
AM53/79C974 PCI SCSI support (CONFIG_SCSI_AM53C974) [N/y/m/?] 
AMI MegaRAID support (CONFIG_SCSI_MEGARAID) [N/y/m/?] 
BusLogic SCSI support (CONFIG_SCSI_BUSLOGIC) [N/y/m/?] 
Compag Fibre Channel 64-bit/66Mhz HBA support (CONFIG_SCSI_CPQFCTS) [N/y/m/?] 
DMX3191D SCSI support (CONFIG_SCSI_DMX3191D) [N/y/m/?] 
DTC3180/3280 SCSI support (CONFIG_SCSI_DTC3280) [N/y/m/?] 
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EATA ISA/EISA/PCI (DPT and generic EATA/DMA-compliant boards) support (CONFIG_SCSI_EATA) 
[N/y/m/?] 

EATA-DMA [Obsolete] (DPT, NEC, AT&T, SNI, AST, Olivetti, Alphatronix) support 
(CONFIG_SCSI_EATA_DMA) [N/y/m/?] 

EATA-PIO (old DPT PM2001, PM2012A) support (CONFIG_SCSI_EATA_PIO) [N/y/m/?] 
Future Domain 16xx SCSI/AHA-2920A support (CONFIG_SCSI_FUTURE_DOMAIN) [N/y/m/?] 
GDT SCSI Disk Array Controller support (CONFIG_SCSI_GDTH) [N/y/m/?] 

Generic NCR5380/53c400 SCSI support (CONFIG_SCSI_GENERIC_NCR5380) [N/y/m/?] 
IBM ServeRAID support (CONFIG_SCSI_IPS) [N/y/m/?] 

Initio 9100U(W) support (CONFIG_SCSI_ INITIO) [N/y/m/?] 

Initio INI-A100U2W support (CONFIG_SCSI_INIA100) [N/y/m/?] 

NCR53c406a SCSI support (CONFIG_SCSI_NCR53C406A) [N/y/m/?] 

NCR53c7,8xx SCSI support (CONFIG_SCSI_NCR53C7xx) [N/y/m/?] 

NCR53C8XX SCSI support (CONFIG_SCSI_NCR53C8XX) [N/y/m/?] 

SYM53C8XX SCSI support (CONFIG_SCSI_SYM53C8XxX) [Y/m/n/?] n 

PAS16 SCSI support (CONFIG_SCSI_PAS16) [N/y/m/?] 

PCI2000 support (CONFIG_SCSI_PCI2000) [N/y/m/?] 

PC12220i support (CONFIG_SCSI_PCI2220l) [N/y/m/?] 

PSI240i support (CONFIG_SCSI_PSI240l) [N/y/m/?] 

Qlogic FAS SCSI support (CONFIG_SCSI_QLOGIC_FAS) [N/y/m/?] 

Qlogic ISP SCSI support (CONFIG_SCSI_QLOGIC_ISP) [N/y/m/?] 

Qlogic ISP FC SCSI support (CONFIG_SCSI_QLOGIC_FC) [N/y/m/?] 

Qlogic QLA 1280 SCSI support (CONFIG_SCSI_QLOGIC_1280) [N/y/m/?] 

Seagate ST-02 and Future Domain TMC-8xx SCSI support (CONFIG_SCSI_SEAGATE) [N/y/m/?] 
Simple 53c710 SCSI support (Compaq, NCR machines) (CONFIG_SCSI_SIM710) [N/y/m/?] 
Symbios 53c416 SCSI support (CONFIG_SCSI_SYM53C416) [N/y/m/?] 

Tekram DC390(T) and Am53/79C974 SCSI support (CONFIG_SCSI_DC390T) [N/y/m/?] 
Trantor T128/T128F/T228 SCSI support (CONFIG_SCSI_T128) [N/y/m/?] 

UltraStor 14F/34F support (CONFIG_SCSI_U14_34F) [N/y/m/?] 

UltraStor SCSI support (CONFIG_SCSI_ULTRASTOR) [N/y/m/?] 


120 device support 

120 support (CONFIG_I2O) [N/y/m/?] 

2 Network device support 

Network device support (CONFIG_NETDEVICES) [Y/n/?] 
: ARCnet devices 


ARCnet support (CONFIG_ARCNET) [N/y/m/?] 

Dummy net driver support (CONFIG_DUMMY) [M/n/y/?] 

Bonding driver support (CONFIG_BONDING) [N/y/m/?] 

EQL (serial line load balancing) support (CONFIG_EQUALIZER) [N/y/m/?] 
Universal TUN/TAP device driver support (CONFIG_TUN) [N/y/m/?] 
General Instruments Surfboard 1000 (CONFIG_NET_SB1000) [N/y/m/?] 


* Ethernet (10 or 100Mbit) 


Ethernet (10 or 100Mbit) (CONFIG_NET_ETHERNET) [Y/n/?] 
3COM cards (CONFIG_NET_VENDOR_3COM) [N/y/?] 
AMD LANCE and PCnet (AT1500 and NE2100) support (CONFIG_LANCE) [N/y/m/?] 
Western Digital/SMC cards (CONFIG_NET_VENDOR_SMC) [N/y/?] 
Racal-Interlan (Micom) NI cards (CONFIG_NET_VENDOR_RACAL) [N/y/?] 
DEPCA, DE10x, DE200, DE201, DE202, DE422 support (CONFIG_DEPCA) [N/y/m/?] 
HP 10/100VG PCLAN (ISA, EISA, PCI) support (CONFIG_HP100) [N/y/m/?] 
Other ISA cards (CONFIG_NET_ISA) [N/y/?] 
EISA, VLB, PCI and on board controllers (CONFIG_NET_PCl) [Y/n/?] 
AMD PCnet32 PCI support (CONFIG_PCNET32) [N/y/m/?] 
Apricot Xen-Il on board Ethernet (CONFIG_APRICOT) [N/y/m/?] 
CS89x0 support (CONFIG_CS89x0) [N/y/m/?] 
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DECchip Tulip (dc21x4x) PCI support (CONFIG_TULIP) [N/y/m/?] 

Generic DECchip & DIGITAL EtherWORKS PCI/EISA (CONFIG_DE4X5) [N/y/m/?] 

Digi Intl. RightSwitch SE-X support (CONFIG_DGRS) [N/y/m/?] 

EtherExpressPro/100 support (CONFIG_EEPRO100) [Y/m/n/?] 

National Semiconductor DP83810 series PCI Ethernet support (CONFIG_NATSEMI) [N/y/m/?] 

PCI NE2000 and clones support (see help) (CONFIG_NE2K_PCI) [N/y/m/?] 

RealTek RTL-8139 PCI Fast Ethernet Adapter support (CONFIG_8139TOO) [N/y/m/?] 

SiS 900/7016 PCI Fast Ethernet Adapter support (CONFIG_SIS900) [N/y/m/?] 

SMC EtherPower II (CONFIG_EPIC100) [N/y/m/?] 

Sundance Alta support (CONFIG_SUNDANCE) [N/y/m/?] 

TI ThunderLAN support (CONFIG_TLAN) [N/y/m/?] 

VIA Rhine support (CONFIG_VIA_RHINE) [N/y/m/?] 

Winbond W89c840 Ethernet support (CONFIG_WINBOND_ 840) [N/y/m/?] 

Sun Happy Meal 10/100baseT PCI support (CONFIG_HAPPYMEAL) [N/y/m/?] 
Pocket and portable adapters (CONFIG_NET_POCKET) [N/y/?] 


* Ethernet (1000 Mbit) 

Alteon AceNIC/3Com 3C985/NetGear GA620 Gigabit support (CONFIG_ACENIC) [N/y/m/?] 
Packet Engines Hamachi GNIC-II support (CONFIG_HAMACHI) [N/y/m/?] 

SysKonnect SK-98xx support (CONFIG_SK98LIN) [N/y/m/?] 

FDDI driver support (CONFIG_FDDI) [N/y/?] 

PPP (point-to-point protocol) support (CONFIG_PPP) [N/y/m/?] 

SLIP (serial line) support (CONFIG_SLIP) [N/y/m/?] 

* Wireless LAN (non-hamradio) 

Wireless LAN (non-hamradio) (CONFIG_NET_RADIO) [N/y/?] 

* Token Ring devices 


Token Ring driver support (CONFIG_TR) [N/y/?] 
Fibre Channel driver support (CONFIG_NET_FC) [N/y/?] 


: Wan interfaces 

Wan interfaces support (CONFIG_WAN) [N/y/?] 

: Amateur Radio support 

Amateur Radio support (CONFIG_HAMRADIO) [N/y/?] 
; IrDA (infrared) support 

IrDA subsystem support (CONFIG_IRDA) [N/y/m/?] 

Q ISDN subsystem 

ISDN support (CONFIG_ISDN) [N/y/m/?] 

’ Old CD-ROM drivers (not SCSI, not IDE) 

Support non-SCSI/IDE/ATAPI CDROM drives (CONFIG_CD_NO_IDESCSI) [N/y/?] 
‘ Input core support 

Input core support (CONFIG_INPUT) [N/y/m/?] 

* Character devices 


* 


Virtual terminal (CONFIG_VT) [Y/n/?] 
Support for console on virtual terminal (CONFIG_VT_CONSOLE) [Y/n/?] 
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Standard/generic (8250/16550 and compatible UARTs) serial support (CONFIG_SERIAL) [Y/m/n/?] 
Support for console on serial port (CONFIG_SERIAL_CONSOLE) [N/y/?] 

Extended dumb serial driver options (CONFIG_SERIAL_EXTENDED) [N/y/?] 

Non-standard serial port support (CONFIG_SERIAL_NONSTANDARD) [N/y/?] 

Unix98 PTY support (CONFIG_UNIX98_PTYS) [Y/n/?] 

Maximum number of Unix98 PTYs in use (0-2048) (CONFIG_UNIX98_PTY_COUNT) [256] 128 


*12C support 
12C support (CONFIG_I2C) [N/y/m/?] 
* Mice 


Bus Mouse Support (CONFIG_BUSMOUSE) [N/y/m/?] 

Mouse Support (not serial and bus mice) (CONFIG_MOUSE) [Y/m/n/?] 

PS/2 mouse (aka "auxiliary device") support (CONFIG_PSMOUSE) [Y/n/?] 

C&T 82C710 mouse port support (as on TI Travelmate) (CONFIG_82C710_MOUSE) [N/y/m/?] 
PC110 digitizer pad support (CONFIG_PC110_PAD) [N/y/m/?] 


* Joysticks 


* Input core support is needed for joysticks 
QIC-02 tape support (CONFIG_QICO2_ TAPE) [N/y/m/?] 
* Watchdog Cards 


Watchdog Timer Support (CONFIG_WATCHDOG) [N/y/?] 

Intel i8x0 Random Number Generator support (CONFIG_INTEL_RNG) [N/y/m/?] 
/dev/nvram support (CONFIG_NVRAM) [N/y/m/?] 

Enhanced Real Time Clock Support (CONFIG_RTC) [N/y/m/?] 

Double Talk PC internal speech card support (CONFIG_DTLKk) [N/y/m/?] 
Siemens R3964 line discipline (CONFIG_R3964) [N/y/m/?] 

Applicom intelligent fieldbus card support (CONFIG_APPLICOM) [N/y/m/?] 


* Ftape, the floppy tape device driver 


Ftape (QIC-80/Travan) support (CONFIG_FTAPE) [N/y/m/?] 
/dev/agpgart (AGP Support) (CONFIG_AGP) [Y/m/n/?] n 
Direct Rendering Manager (XFree86 DRI support) (CONFIG_DRM) [Y/n/?] n 


* Multimedia devices 
Video For Linux (CONFIG_VIDEO_DEV) [N/y/m/?] 
* File systems 


Quota support (CONFIG_QUOTA) [N/y/?] 

Kernel automounter support (CONFIG_AUTOFS_ FS) [N/y/m/?] 

Kernel automounter version 4 support (also supports v3) (CONFIG_AUTOFS4_FS) [Y/m/n/?] n 

DOS FAT fs support (CONFIG_FAT_FS) [N/y/m/?] 

Compressed ROM file system support (CONFIG_CRAMFS) [N/y/m/?] 

Simple RAM-based file system support (CONFIG_RAMFS) [N/y/m/?] 

ISO 9660 CDROM file system support (CONFIG_ISO9660_FS) [Y/m/n/?] m 
Microsoft Joliet CDROM extensions (CONFIG_JOLIET) [N/y/?] 

Minix fs support (CONFIG_MINIX_FS) [N/y/m/?] 

NTFS file system support (read only) (CONFIG_NTFS_FS) [N/y/m/?] 

OS/2 HPFS file system support (CONFIG_HPFS_FS) [N/y/m/?] 

/proc file system support (CONFIG_PROC_FS) [Y/n/?] 

/dev/pts file system for Unix98 PTYs (CONFIG_DEVPTS_FS) [Y/n/?] 

ROM file system support (CONFIG_ROMFS_FS) [N/y/m/?] 
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Second extended fs support (CONFIG_EXT2_FS) [Y/m/n/?] 

System V and Coherent file system support (read only) (CONFIG_SYSV_FS) [N/y/m/?] 
UDF file system support (read only) (CONFIG_UDF_FS) [N/y/m/?] 

UFS file system support (read only) (CONFIG_UFS_FS) [N/y/m/?] 


* Network File Systems 


Coda file system support (advanced network fs) (CONFIG_CODA_FS) [N/y/m/?] 

NFS file system support (CONFIG_NFS_FS) [Y/m/n/?] n 

NFS server support (CONFIG_NFSD) [Y/m/n/?] n 

SMB file system support (to mount Windows shares etc.) (CONFIG_SMB_FS) [N/y/m/?] 
NCP file system support (to mount NetWare volumes) (CONFIG_NCP_FS) [N/y/m/?] 


* Partition Types 
Advanced partition selection (CONFIG_PARTITION_ADVANCED) [N/y/?] 


* Console drivers 
VGA text console (CONFIG_VGA_CONSOLE) [Y/n/?] 
Video mode selection support (CONFIG_VIDEO_SELECT) [N/y/?] 


* Sound 
Sound card support (CONFIG_SOUND) [Y/m/n/?] n 


(Security options will appear only if you are patched your kernel with the Openwall Project patch). 
* Security options 


Non-executable user stack area (CONFIG_SECURE_STACK) [Y] 

Autodetect and emulate GCC trampolines (CONFIG_SECURE_STACK_SMART) [Y] 
Restricted links in /tmp (CONFIG_SECURE_LINk) [Y] n 

Restricted FIFOs in /tmp (CONFIG_SECURE_FIFO) [Y] 

Restricted /proc (CONFIG_SECURE_PROC) [N] y 

Special handling of fd 0, 1, and 2 (CONFIG_SECURE_FD_0_1_2) [Y] 

Enforce RLIMIT_NPROC on execve(2) (CONFIG_SECURE_RLIMIT_NPROC) [Y] 
Destroy shared memory segments not in use (CONFIG_SECURE_SHM) [N] 


: USB support 

Support for USB (CONFIG_USB) [Y/m/n/?] n 

. Kernel hacking 

Magic SysRq key (CONFIG_MAGIC_SYSRQ) [N/y/?] 
*“* End of Linux kernel configuration. 


** Check the top-level Makefile for additional configuration. 
*** Next, you must run 'make dep. 
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WARNING: With the new kernel 2.4 and SCSI system you don’t have the choice to configure a 
modularized kernel because of the option “Maximum number of SCSI disks that can 
be loaded as modules (CONFIG_SD_EXTRA_DEVS) [40]” which doesn’t let us to compile 
it directly into the kernel. 














If you want to enable IPTABLES support into the kernel, the iptables program must be 
installed first or you will receive error messages during kernel compilation. This is because when 
iptables support is enabled, the kernel will associate some part of the iptables program with 
it configuration. Therefore don’t forget to install IPTABLES before configuring kernel with 
IPTABLES support. Finally the same warning is true for quota support into the kernel. 








Finally, it is important to note that the kernel configuration part related to “IP: Netfilter 
Configuration” has been configured as loadable module in this example. This is because | 
want to show you a different kernel configuration than the first for monolithic kernel that you may 
have. With kernel 2.4.x generation, we have now the possibility to compile all “IP: Netfilter 
Configuration” options related to Masquerading and Forwarding support directly into the 
kernel. Therefore it is for you to decide how you want to configure this part of the kernel for your 
system, you can configure it as modules or compiled and included directly into the kernel. 





Compiling the Kernel 

This section applies to monolithic kernel and modularized kernel. Now, return to the 
/usr/src/linux directory (if you are not already in it). You need to compile the new kernel. 
You do so by using the following command: 


e Tocompile the Kernel, use the following command: 
[root@deep linux]# make dep; make clean; make bzImage 


This line contains three commands in one. The first one, make dep, actually takes your 
configuration and builds the corresponding dependency tree. This process determines what gets 
compiled and what doesn’t. The next step, make clean, erases all previous traces of a 
compilation so as to avoid any mistakes in which the wrong version of a feature gets tied into the 
kernel. Finally, make bzImage does the full compilation of the kernel. 


After the process is complete, the kernel is compressed and ready to be installed on your system. 
Before we can install the new kernel, we must know if we need to compile the corresponding 
modules. This is required ONLY if you said yes to “Enable loadable module support 
(CONFIG_MODULES)” and have compiled some options in the kernel configuration above as a 
module (See Modularized kernel configuration). In this case, you must execute the following 
commands: 


e To compile the corresponding modules for your kernel, use the following commands: 
[root@deep linux]# make modules 
[root@deep linux]# make modules_install 








WARNING: The make modules and make modules_install commands are required ONLY if 
you say yes to “Enable loadable module support (CONFIG _MODULES)” in your kernel 
configurations (See Modularized kernel configuration) because you want to build a 
modularized kernel. 
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Installing the Kernel 

This section applies to monolithic kernel and modularized kernel. Ok, kernel has been 
configured, compiled and is now ready to be installed in your system. Below are the required 
steps to install all the necessary kernel components into your server. 


Step 1 
Copy the file /usr/src/linux/arch/i386/boot/bzImage from the kernel source tree to the 
/coot directory, and give it an appropriate new name. 


e Tocopy the bzImage file to the /boot directory, use the following commands: 
[root@deep /]# ed /usr/srce/linux/ (if you are not already in it) 
[root@deep linux]# cp arch/i386/boot/bzImage /boot/vmlinuz-2.4.5 








NOTE: An appropriate or recommended new name is something like vmlinuz—2.4.5, this is 
important if you want a new rescue floppy or emergency boot floppy using the mkbootdisk tool 
that require some specific needs like for example: vmlinuz—-2.4.5 instead of vmlinuz- 
2.4.5.a 





Step 2 

A new System.map file is generated when you compile a kernel, and is a list of all the addresses 
in that kernel and their corresponding symbols. Every time that you create a new kernel, such a 
file System.map is created and saved in /usr/src/linux. In it you will find information about 
offsets within kernel that are required by the modules if you have compiled the kernel as 
modularized. It's a text file, which is read by a few programs (like ps) to do address <-> symbol 
translation, and which you need if you ever get an Oops. 


Certain commands, like klog, ps, and 1sof, use the System.map file to get the name of kernel 
symbols. Without it some commands like 1sof will complain that they can't find a System.map 
file to match the currently booted kernel. 


Copy the file /usr/src/linux/System.map from the kernel source tree to the /boot 
directory, and give it an appropriate new name. 


e Tocopy the System.map file to the /boot directory, use the following commands: 
[root@deep /]# ed /usr/srce/linux/ (if you are not already in it) 
[root@deep linux]# cp System.map /boot/System.map-2.4.5 


Step 3 
Move into the /boot directory and rebuild the links vmlinuz and System.map. 


e To rebuild the vmlinuz and System.map files, use the following commands: 
[root@deep linux]# ed /boot/ 
[root@deep /boot]# 1ln -fs vmlinuz-2.4.5 vmlinuz 
[root@deep /boot]# 1n -fs System.map-2.4.5 System.map 


We must rebuild the links of vmlinuz and System.map to point them to the new installed kernel 


version. Without the new links LILO program will look, by default, for the old version of your Linux 
kernel. 
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Step 4 
Remove obsolete and unnecessary files under the /boot directory to increase disk space: 


e Toremove obsolete and unnecessary files under the /boot directory, use commands: 
[root@deep /]# ed /boot/ (if you are not already in it) 
[root@deep /boot]# rm -f£ module-info 
[root@deep /boot]# rm -f initrd-2.4.x.img 


The module-info is a link, which points to the old modules directory of your original kernel. 
Since we have installed a brand new kernel, we don’t need to keep this broken link. 


The initrd-2.4.x.img is a file that contains an initial RAM disk image that serves as a 
system before the disk is available. This file is only available and is installed from the Linux initial 
setup installation if your system has a SCSI adapter present and only if your system has a SCSI 
adapter. If we use and have a SCSI system, the required driver now will be incorporated into our 
new Linux kernel since we have build it by answering Yes to the question related to our Scsl 
model during the configuration of the kernel, so we can remove this file (initrd-2.4.x.img) 
safely. 


Step 5 
Create a new Linux kernel directory that will handle all header files related to Linux kernel for 
future compilation of other programs on your system. 


Recall, we had created two symlinks under the /usr/include directory that point to the Linux 
kernel header files to be able to compile it without receiving error and also be able to compile 
future programs. The /usr/include directory is where all the header files for your Linux system 
are kept for reference and dependencies when you compile and install new programs. 


The asm, and linux links are used when programs need to know some functions which are 
compile-time specific to the kernel installed on your system. Programs call other headers as well 
inthe /usr/include directory when they must know specific information, dependencies, etc of 
your system. 


e To create a new Linux kernel directory to handle all header files, use the commands: 
root@deep /]# mkdir -p /usr/src/linux-2.4.5/include 

root@deep /]# ed /usr/srce/linux/ 

root@deep linux]# cp -r include/asm-generic ../linux-2.4.5/include/ 
root@deep linux]# cp -r include/asm-i386 ../linux-2.4.5/include/ 
root@deep linux]# cp -r include/linux ../linux-2.4.5/include/ 
root@deep linux]# ed ../ 

root@deep src]# rm -rf /usr/src/linux 

root@deep src]# ed /usr/srec/ (to be sure that we are into the src directory) 

root@deep srcj# 1ln -s /usr/srce/linux-2.4.5 linux 





First we create a new directory named “linux-2.4.5” based on the version of the kernel we 
have installed for easy interpretation, then we copy directories asm-generic, asm—i386, and 
linux from /usr/src/linux/include to our new location /usr/src/linux- 
2.4.5/include. 


After we remove the entire source directory where we had compiled the new kernel, we create a 
new symbolic link named “linux” under /usr/src that points to our new /usr/src/linux- 
2.4.5 directory. With these steps, future compiled programs will know where to look for headers 
related to the kernel on your server. 
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NOTE: This step will allow us to gain space on our hard drive and will reduce the risk of security. 
The Linux kernel source directory handles a lot files and is about 94M in size when 
uncompressed. With the procedure described above, our Linux kernel directory began 
approximately 4M in size so we save 90MB for the same functionalities. 








Step 6 
Finally, you need to edit the /etc/lilo.conf file to make your new kernel one of the boot time 


options: 


Edit the lilo.conf file (vi /etc/lilo.conf) and make the appropriate change on the line 
that read “image=/boot/vmlinuz-x.x.x”. 


[root@deep /]# vi /etc/lilo.conf 


boot=/dev/sda 
map=/boot/map 
install=/boot/boot.b 
timeout=00 
default=linux 
restricted 
password=somepasswd 


image=/boot/vmlinuz 
label=linux 
read-only 
root=/dev/sda6 








WARNING: | recommend you to put on the line “image=/boot /vmlinuz-x.x.x’ only the word 
“ymlinuz”; this allow us to not have to edit the 1ilo.conf file each time we upgrade our kernel. 
The word “vmlinuz” always point to your latest kernel image. 


Also, for SCSI system only, don’t forget to remove the line that read “initrd=/boot /initrd- 
x.x.x.img” in the lilo.conf file, since this line is not necessary now since we have built our 
SCSI system directly into the kernel by answering Yes to the question related to our SCSI model 
during configuration of the kernel. 








Once the necessary modifications has been made into the /etc/lilo.conf file as shown 
above, we update our 1ilo.conf file for the change to take effect with the following command: 


[root@deep /]# /sbin/lilo -v 
LILO version 21.4-4, copyright © 1992-1998 Wernerr Almesberger 
‘lba32’ extentions copyright © 1999,2000 John Coffman 





Reading boot sector from /dev/sda 

had : ATAPI 32X CD-ROM drive, 128kB Cache 
Merging with /boot/boot.b 

Mapping message file /boot/message 

Boot image : /boot/vmlinuz 

Added linux * 

/boot/boot.0800 exists - no backup copy made. 
Writing boot sector. 
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Reconfiguring /etc/modules.conf file 

This section applies only if you chose to install a modularized kernel in your system. The 
/etc/modules.conf file represents the (optional) configuration file for loading some kernel 
modules in your system. It is used to modify the behavior of modprobe and depmod programs. 
This file consists of a set of lines with different parameters. It is important after each upgrade of a 
modularized kernel to verify if all information and parameters contained inside it, are valid 
and correct. 


All the contents of the /etc/modules.conf file apply only for systems where the kernel has 
been configured with modules (modularized kernel). So if you have recompiled your new 
kernel with some new options as modules or if you have removed some modules from it, it is 
important to update or remove the modules .conf file to reflect the changes and eliminate 
possible error message during booting. 


As an example, the following is the content of the modules .conf file on my system. Linux has 
added these parameters automatically, depending of the system hardware during the primary 
install stage of the operating system. 


alias scsi_hostadapter aic7xxx 
alias ethO eeprol00 

alias ethl eeprol00 

alias parport_lowlevel parport_pc 
alias usb-controller uhci 


One important use of the modules.conf file is the possibility of using the “alias” directive to 
give alias names to modules and link object files to a module. 


After recompilation of the kernel, and depending of how we have answered the different kernel 
questions during kernel configuration, it may be possible that we need to make some adjustments 
to the default parameters, especially if we have answered yes during kernel configuration to 
some devices available in our system, like network cards and SCSI adapters. 


If the configuration file /etc/modules.conf is missing, or if any directive is not overridden, the 
default will be to look under /1ib/modules directory containing modules compiled for the 
current release of the kernel. Therefore, we can remove the /etc/modules.conf file from the 
system and let the modprobe and depmod programs manage all existing modules for us. 


To summarize, you can: 


1) Keep the modules.conf file; only kernel options which you have answered m during 
kernel configuration time (of course only if these modules did exist into modules.conf). 
Any kernel options where you have answered yes or no will not appears into the 
modules.conf file. 


2) Orremove the /etc/modules.conf file from your system and let modprobe and 


depmod programs manage all existing modules for you. On a server environment, | 
prefer to use this choice. 
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Delete programs, edit files pertaining to modules 

This section applies only if you chose to installa monolithic kernel in your system. By default 
when you install Linux for the first time (like we did), the kernel is built as a modularized 
kernel. This means that each device or function we need exists as a module and is controlled 
by the Kernel Daemon program named kmod. kmod automatically loads some modules and 
functions into memory as they are needed, and unloads them when they're no longer being 
used. 


Step 1 

kmod and other module management programs included in the modutils RPM package use the 
modules.conf file located in the /etc directory to know for example which Ethernet card you 
have, if your Ethernet card requires special configuration and so on. If we don’t use any modules 
in our new compiled kernel because we have compiled the kernel as monolithic kernel and 
ONLY in this case, we can remove the modules.conf file and uninstall completely the 
modutils RPM package. 


e Toremove the modules.conf file, use the following command: 
[root@deep /]# rm -£ /etc/modules.conf 


e To uninstall the modutils package, use the following command: 
[root@deep /]# rpm -e --nodeps modutils 


Step 2 
One last thing to do is to edit the file devfsd. conf and comment out the line related to module 
autoloading by inserting a “#” at the beginning of the line. 


e Edit the devfsd.conf file (vi /etc/devfsd.conf), and change the line: 
LOOKUP .* MODLOAD 


To read: 


#LOOKUP .* MODLOAD 


Step 3 
Finaly, it is important to remove the file named “modules.devfs” under /etc since it is no 
longer needed for a monolithic kernel. 


e To remove the modules.devfs file, use the following command: 
[root@deep /]# rm -f /etc/modules.devfs 








WARNING: Once again, the above (“Delete program, file and lines related to modules”) is required 
only if you said no to “Enable loadable module support (CONFIG_MODULES)” in your 
kernel configuration because you have decided to build a monolithic kernel. 
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Remounting the /boot partition of Linux as read-only 

This section applies to monolithic kernel and modularized kernel. Once our new kernel 
has been installed in the system, we can now remount the /boot partition of Linux as read-only 
to eliminate possible problems that someone might try to change or modify vital files inside it. To 
remount the /boot directory as read-only, follow the simple steps below. 





Step1 
Z Edit the fstab file (vi /etc/fstab) and change the line: 
LABEL=/boot /boot ext2 defaults 1s. 22 
To read: 
LABEL=/boot /boot ext2 defaults,ro Ale 





Step 2 
Make the Linux system aware of the modification you have made to the /etc/fstab file. 


e This can be accomplished with the following command: 
[root@deep /]# mount /boot -oremount 


e Then test your results with the following command: 
[root@deep /]# cat /proc/mounts 











/dev/root / ext2 rw 0 0 

/proc/proc proc rw 0 0 

/dev/sdal /boot ext2 ro 0 0 
/dev/sdal0 /cache ext2 rw,nodev 0 0 
/dev/sda9 /chroot ext2 rw 0 0 
/dev/sda8 /home ext2 rw,nosuid 0 0 
/dev/sdal3 /tmp ext2 rw,noexec,nosuid 0 0 
/dev/sda7 /usr ext2 rw 0 0 
/dev/sdall /var ext2 rw 0 0 
/dev/sdal2 /var/lib ext2 rw 0 0 

none /dev/pts devpts rw 0 0 


If you see something like: /dev/sdal /boot ext2 ro 0 0, congratulations! 


Rebooting your system to load the new kernel 

Whether you have installed anew monolithic kernel where codes and drivers are compiled 
into the kernel and are always loaded or a modularized kernel where some segment of 
codes are compiled into the kernel as a module and loaded on deman4, it is time to Reboot your 
system and test your results. 


e To reboot your Linux system, use the following command: 
[root@deep /]# reboot 


When the system is rebooted and you are logged in, verify the new version of your kernel with the 
following command: 


e To verify the version of your new kernel, use the following command: 
[root@deep /]# uname -a 
Linux deep 2.4.5 #1 Sat Mar 24 09:38:35 EDT 2001 i686 unknown 





Congratulations! 
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NOTE ABOUT SYSTEM SIZE: After recompilation of the kernel and installation of all packages 
necessary to make compilation on the system plus the update of required RPM packages, our 
install size of Linux is now 162MB. Note that it can be smaller than 162 MB if we don’t install 
compilers packages and use another computer to develop and compile tarballs. 





Making a new rescue floppy for Modularized Kernel 

This section applies only if you chose to install a modularized kernel in your system. After the 
reboot, you should have now a system with an upgraded kernel. Therefore, it’s time is to make a 
new rescue floppy with the new kernel in case of emergencies. To do this, follow the simple step 
below: 


e Login as root, and insert a new floppy, then execute the following command: 
[root@deep /]# mkbootdisk --device /dev/fd0H1440 2.4.5 
Insert a disk in /dev/fd0. Any information on the disk will be lost. 
Press <Enter> to continue or “*C to abort: 











WARNING: The mkbootdisk program runs only on modularized Kernel. So you can’t use it on 
amonolithic Kernel; instead create an emergency boot floppy as shown below. 





Making a emergency boot floppy disk for Monolithic Kernel 

This section applies only if you chose to installa monolithic kernel in your system. Because 
it is possible to create a rescue floppy only on modularized kernel, we must find another way 
to boot our Linux system for a monolithic kernel if the Linux kernel on the hard disk is 
damaged. This is possible with a Linux emergency boot floppy disk. You should create it 
immediately after you successfully start your system and log in as root. 


e To create the emergency boot floppy disk, follow these steps: 


1. Insert a floppy disk and format it with the following command: 
[root@deep /]# fdformat /dev/£d0H1440 
Double-sided, 80 tracks, 18 sec/track. Total capacity 1440 kB. 
Formatting ... done 
Verifying ... done 


2. Copy the file “vmlinuz’” from the /boot directory to the floppy disk: 
[root@deep /]# cp /boot/vmlinuz /dev/£d0H1440 
cp: overwrite ~/dev/fd0H1440'? y 


The vmlinuz file is a symbolic link that points to the real Linux kernel. 
3. Determine the kernel’s root device with the following command: 


[root@deep /]# rdev 
/dev/sdaé6é / 


The kernel’s root device is the disk partition where the root file system is located. In this 


example, the root device is /dev/sda6; the device name may be different on your 
system. 
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4. Set the kernel’s root device with the following command: 
[root@deep /]# rdev /dev/£d0H1440 /dev/sda6 


To set the kernel’s root device, use the device reported by the “rdev” command utility in 
the previous step. 


5. Mark the root device as read-only with the following command: 
[root@deep /]# rdev -R /dev/£d0H1440 1 


This causes Linux to initially mount the root file system as read-only. By setting the root 
device as read-only, you avoid several warnings and error messages. 


6. Now put the boot floppy in the drive A: and reboot your system with the following 
command: 
[root@deep /]# reboot 


Because the mkbootdisk program is required only when you have a modularized kernel 
installed in your Linux system, we can remove the unneeded mkbootdisk package from the 
system. 


e To uninstall the mkbootdisk utility, use the following command: 
[root@deep /]# rpm -e mkbootdisk 


Optimizing Kernel 
This section deals with actions we can make to improve and tighten performance of the Linux 
Kernel. Note that we refer to the features available within the base installed Linux system. 


/proc/sys/vm: The virtual memory subsystem of Linux 

All parameters described later in this chaper reside under the /proc/sys/vm directory of the 
server and can be used to tune the operation of the virtual memory (VM) subsystem of the Linux 
kernel. Be very careful when attempting this. You can optimize your system, but you can also 
cause it to crash. Since every system is different, you'll probably want some control over these 
pieces of the system. 


Finally, these are advanced setting and if you don’t understand them, then don't try to play in this 
area or try to use all examples below directly in your systems. Remember that all systems are 
different and require different setting and customization. The majority of the following hacks will 
work fine on a server with >= at 512MB of RAM or at minimum of 256MB of RAM. Below this 
amount of memory, nothing is guaranteed and the default setting will just be fine for you. 


Below | show you parameters that can be optimized for the system. All suggestions | make in this 


section are valid for every kind of server. The only difference depends on the amount of RAM 
your machines have and this is where settings will change. 
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| - bdflush 

| -— buffermem 

| — freepages 
[PEOC/LSYS/MIt Stas Ss Sessa SSS Ss | — kswapd 
- avercommit_memory 
— page-cluster 
— pagecache 
—- pagetable_cache 


The above figure shows a snapshot of /proc/sys/vm directory on a Red Hat Linux system 
running kernel version 2.4. Please note that this picture may look different on your system. 


The bdflush parameters 

The bdf lush file is closely related to the operation of the virtual memory (VM) subsystem of the 
Linux kernel and has a little influence on disk usage. This file /proc/sys/vm/bdflush controls 
the operation of the bdf1lush kernel daemon. We generally tune this file to improve file system 
performance. By changing some values from the defaults shown below, the system seems more 
responsive; e.g. it waits a little more to write to disk and thus avoids some disk access contention. 


The bdf lush parameters currently contains 9 integer values, of which 6 are actually used by the 
kernel 2.4 generation. The default setup for the bdf1lush parameters under Red Hat Linux is: 
"30 64 64 256 500 3000 60 0 0" 


Step 1 
To change the values of bdf1ush, type the following command on your terminal: 


e =6Edit the sysct1.conf file (Vi /etc/sysctl.conf) and add the following line: 





# Improve file system performance 
vm.bdflush = 100 1200 128 512 500 6000 500 0 0 


Step 2 
You must restart your network for the change to take effect. The command to restart the network 
is the following: 


e To restart all network devices manually on your system, use the following command: 
[root@deep /]# /etc/re.d/init.d/network restart 
Setting network parameters [OK] 


Bringing up interface lo [OK] 
Bringing up interface eth0 [OK] 
Bringing up interface ethl [OK] 








NOTE: There is another way to update the entry without restarting the network by using the 
following command into your terminal screen: 
[root@deep /]# sysctl -w vm.bdflush="100 1200 128 512 500 6000 500 0 0" 
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In our example above, according to the /usr/src/linux/Documentation/sysctl/vm.txt 
file, the first parameter (100 %) governs the maximum number of dirty buffers in the buffer cache. 
Dirty means that the contents of the buffer still have to be written to disk (as opposed to a clean 
buffer, which can just be forgotten about). Setting this to a high value means that Linux can delay 
disk writes for a long time, but it also means that it will have to do a lot of I/O at once when 
memory becomes short. A low value will spread out disk I/O more evenly. 


The second parameter (1200) (ndirty) gives the maximum number of dirty buffers that 
bdflush can write to the disk in one time. A high value will mean delayed, bursty I/O, while a 
small value can lead to memory shortage when bdflush isn't woken up often enough. 


The third parameter (128) (nrefill1) is the number of buffers that bdflush will add to the list of 
free buffers when refill_freelist() is called. It is necessary to allocate free buffers beforehand, 
since the buffers often are of a different size than memory pages and some bookkeeping needs 
to be done beforehand. The higher the number, the more memory will be wasted and the less 
often refill_freelist() will need to run. 


When refill_freelist() (612) comes across more than nref_dirt dirty buffers, it will wake up 
bdflush 


Finally, the age_buffer (50*HZ) and age_super parameters (5*HZ) govern the maximum time 
Linux waits before writing out a dirty buffer to disk. The value is expressed in jiffies (clockticks); 
the number of jiffies per second is 100. Age_buffer is the maximum age for data blocks, while 
age_super Is for file system metadata. 


The fifth (500) and last two parameters (0 and 0) are unused by the system so we don’t need to 
change the default ones. 








NOTE: Look at /usr/src/linux/Documentation/sysctl/vm.txt for more information on 
how to improve kernel parameters related to virtual memory. Also note that bdflush features 
parameters may vary from kernel version to another. 





The buffermem parameters 

The buf fermen file is also closely related to the operation of the virtual memory (VM) subsystem 
of the Linux kernel. The value in this file /proc/sys/vm/buffermem controls how much 
memory should be used for buffer memory (in percentage). It is important to note that the 
percentage is calculated as a percentage of total system memory. 


The buf fermem parameters currently contains 3 integer values, of which 1 is actually used by 
the kernel. The default setup for the buffermem parameters under Red Hat Linux is: 
"2 10 60" 


Step 1 
To change the values of buffermen, type the following command on your terminal: 


e Edit the sysctl.conf file (vi /etc/sysct1l.conf) and add the following line: 


# Improve virtual memory performance 
vm.buffermem = 80 10 60 
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Step 2 
You must restart your network for the change to take effect. The command to restart the network 
is the following: 


e To restart all networks devices manually on your system, use the following command: 
[root@deep /]# /etc/re.d/init.d/network restart 
Setting network parameters [OK] 


Bringing up interface lo [OK] 
Bringing up interface eth0 [OK] 
Bringing up interface ethl [OK] 








NOTE: There is another way to update the entry without restarting the network by using the 
following command into your terminal screen: 
[root@deep /]# sysctl -w vm.buffermem="80 10 60” 





In our example above, according to the /usr/src/linux/Documentation/sysctl/vm.txt 
file, the first parameter (80 %) means to use a minimum of 80 percent of memory for the buffer 
cache; the minimum percentage of memory that should be spent on buffer memory. 


The last two parameters (10 and 60) are unused by the system so we don't need to change the 
defaults. 


Depending of the amount of RAM you have in the server the value of 80% may vary. When your 

server is highly loaded and when all applications are used, you know in detail how much memory 
is required and used by the system. 80 % for the buf fermem parameters seems to be too much 
for systems under 256 MB of RAM. Doing a"# free -m" command on the prompt your system 

will display amount of free and used memory in the system. 


Once you have executed this command “# free —m”, check for -/+ buffers/cache: values 
and get the one related to the minimal (—) to set your value for buffermem. 


As an example for 128 MB of RAM: 
128 * 80% = 102.4 MB 
128 - 102.4 = 25.6 MB 


[root@deep /]# free -m 


total used free shared buffers cached 
Mem: 124 121 3 30 43 48 
-/+ buffers/cache: 29 95 
Swap: 128 2 126 


The result shows us that the -/+ buffers/cache: need 29 MB at minimum to run the system 
properly and with 128 MB of RAM set at 80% we have only 25.6 MB available. Hmmm! problem, | 
guess. so we go back to the calculator again and do this: 


To solve the problem: 
128 * 70% = 89.6 
128 - 89.6 = 38.4 MB 


Well solved! 
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NOTE: Look at /usr/src/linux/Documentation/sysctl/vm.txt for more information on 
how to improve kernel parameters related to virtual memory. Also note that buf fermem features 
parameters may vary from kernel version to another. 





The freepages parameter 
The freepages file /proc/sys/vm/freepages defines the values in the struct freepages. 
According to kernel documentation, that struct contains three members: min, low and high, 


which can be configured to tune the operation of the virtual memory (VM) subsystem of the Linux 
kernel. 


Usually we increase the first member (min) to something reasonable like 47.875 for every 32MB 
of RAM we have and multiply by 2 the result to get the value of member (low) and by 3 for the 
member (high) related again to the value of the first member (mim): i.e. for a machine with 256 
MB of RAM, set it to 383 766 1149 (256/32=8 8*47.875=383 383*2=766 383*3=1149). 


One important note here: If the buffermem parameters have been changed as shown above, 
then you don’t need to do anything here since the values of freepages will be automatically 
adjusted related to the buf fermem parameters values. 


The default setup for the freepages parameter under Red Hat Linux is: 
"2.15 75" 


Step 1 
To change the values of freepages, type the following command on your terminal: 


e =6Edit the sysctl.conf file (vi /etc/sysct1l.conf) and add the following line: 


# Improve and better control swapping into the system 
vm.freepages = 383 766 1149 


Step 2 
You must restart your network for the change to take effect. The command to restart the network 
is the following: 


e To restart all network devices manually on your system, use the following command: 
[root@deep /]# /etce/re.d/init.d/network restart 


Setting network parameters [OK] 
Bringing up interface lo [OK] 
Bringing up interface eth0 [OK] 
Bringing up interface ethl [OK] 








NOTE: There is another way to update the entry without restarting the network by using the 
following command into your terminal screen: 
[root@deep /]# sysctl -w vm.freepages="383 766 1149” 
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In our example above, according to the /usr/src/linux/Documentation/sysctl/vm.txt, 
the meaning of the numbers is: 


freepages.min 
When the number of free pages in the system reaches this number, only the kernel can allocate 
more memory. 


freepages.low 
If the number of free pages gets below this point, the kernel starts swapping aggressively. 


freepages.high 
The kernel tries to keep up to this amount of memory free; if memory comes below this point, the 
kernel gently starts swapping in the hopes that it never has to do real aggressive swapping. 








NOTE: Look at /usr/src/linux/Documentation/sysctl/vm.txt for more information on 
how to improve kernel parameters related to virtual memory. Also take a note that freepages 
features parameters may vary from kernel version to another. 





The kswapd parameter 

The kswapd file /proc/sys/vm/kswapd is related to the kernel swapout daemon that frees 
memory when it gets fragmented or full. There are three parameters to tune in this file and two of 
them (tries_base and swap_cluster) have the largest influence on system performance. As 
for the above files, kswapd can be used to tune the operation of the virtual memory (VM) 
subsystem of the Linux kernel. 


The default setup for the kswapd parameter under Red Hat Linux is: 
"512 32 8" 


Step 1 
To change the values of kswapd, type the following command on your terminal: 


e §6Edit the sysctl.conf file (vi /etc/sysct1l.conf) and add the following line: 


# Increase swap bandwidth system performance 
vm. kswapd = 1024 32 16 


Step 2 
You must restart your network for the change to take effect. The command to restart the network 
is the following: 


e To restart all network devices manually on your system, use the following command: 
[root@deep /]# /etc/re.d/init.d/network restart 
Setting network parameters [OK] 


Bringing up interface lo [OK] 
Bringing up interface eth0 [OK] 
Bringing up interface ethl [OK] 








NOTE: There is another way to update the entry without restarting the network by using the 
following command into your terminal screen: 
[root@deep /]# sysctl -w vm. kswapd="1024 32 16” 





155 








Kernel Security & Optimization | 0 
CHAPTER |6 


In our example above, according to the /usr/src/linux/Documentation/sysctl/vm.txt, 
the meaning of the parameters are: 


tries_base 

The maximum number of pages kswapd tries to free in one round is calculated from this number. 
Usually this number will be divided by 4 or 8 (See mm/vmscan.c), so it isn't as big as it looks. 
When you need to increase the bandwidth to/from swap, you'll want to increase this number. 


tries_min 

This is the minimum number of times kswapd tries to free a page each time it is called. Basically 
it's just there to make sure that kswapd frees some pages even when it's being called with 
minimum priority. 


swap_cluster 

This is the number of pages kswapd writes in one turn. You want this large so that kswapd does 
it's I/O in large chunks and the disk doesn't have to seek often, but you don't want it to be too 
large since that would flood the request queue. 








NOTE: Look at /usr/src/linux/Documentation/sysctl/vm.txt for more information on 
how to improve kernel parameters related to virtual memory. Also note that kswapd features 
parameters may vary from kernel version to another. 





The page-cluster parameter 

The Linux virtual memory subsystem avoids excessive disk seeks by reading multiple pages on a 
page fault. The number of pages it reads is highly dependent on the amount of memory in your 
machine. The number of pages the kernel reads in at once is equal to 2 * page-cluster. Values 
above 2 “5 don't make much sense for swap because we only cluster swap data in 32-page 
groups. As for the above files, page-cluster is used to tune the operation of the virtual memory 
(VM) subsystem of the Linux kernel. 


The default setup for the page-cluster parameter under Red Hat Linux is: 
wa 


Step 1 
To change the values of page-cluster, type the following command on your terminal: 


e §6Edit the sysctl.conf file (vi /etc/sysct1l.conf) and add the following line: 


# Increase number of pages kernel reads in at once 
vm.page-cluster = 16 


Step 2 
You must restart your network for the change to take effect. The command to restart the network 
is the following: 


e To restart all network devices manually on your system, use the following command: 
[root@deep /]# /etce/re.d/init.d/network restart 


Setting network parameters [OK] 
Bringing up interface lo [OK] 
Bringing up interface eth0 [OK] 
Bringing up interface ethl [OK] 
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NOTE: There is another way to update the entry without restarting the network by using the 
following command into your terminal screen: 
[root@deep /]# sysctl -w vm.page-cluster=16 





The pagecache parameter 

This file does exactly the same job as buffermem parameter, but only controls the struct 
page_cache, and thus controls the amount of memory used for the page cache. To resume, it 
controls the amount of memory allowed for memory mapping and generic caching of files. 


The page cache is used for 3 main purposes: 


¥ caching read() data from files 
¥ caching mmap()ed data and executable files 
¥ swap cache 


When your system is both deep in swap and high on cache, it probably means that a lot of the 
swapped data is being cached, making for more efficient swapping than possible. You don't want 
the minimum level to be too low, otherwise your system might thrash when memory is tight or 
fragmentation is high. 


The default setup for the pagecache parameter under Red Hat Linux is: 
"2.15 75" 


Step 1 
To change the values of pagecache, type the following command on your terminal: 


e Edit the sysctl.conf file (vi /etc/sysct1l.conf) and add the following line: 


# Improve files memory mapping and generic caching 
vm.pagecache = 8 25 85 


Step 2 
You must restart your network for the change to take effect. The command to restart the network 
is the following: 


e To restart all network devices manually on your system, use the following command: 
[root@deep /]# /etc/re.d/init.d/network restart 
Setting network parameters [OK] 


Bringing up interface lo [OK] 
Bringing up interface eth0 [OK] 
Bringing up interface ethl [OK] 








NOTE: There is another way to update the entry without restarting the network by using the 
following command into your terminal screen: 
[root@deep /]# sysctl -w vm.pagecache="8 25 85” 
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The pagetable_cache parameter 

The kernel keeps a number of page tables in a per-processor cache (this helps a lot on SMP 
systems). The cache size for each processor will be between the low and the high value. On SMP 
systems it is used so that the system can do fast pagetable allocations without having to acquire 
the kernel memory lock. 


For large systems, the settings are probably OK. For normal systems they won't hurt a bit. For 
small systems (<16MB RAM) and on a low-memory, single CPU system it might be 
advantageous to set both values to 0 so you don't waste the memory. 


The default setup for the paget able_cache parameter under Red Hat Linux is: 
"25 50" 


Step 1 
To change the values of pagetable_cache, type the following command on your terminal: 


e = Edit the sysctl.conf file (vi /etc/sysctl.conf) and add the following line: 


# Improve number of page tables keeps in a per-processor cache 
vm.pagetable_cache = 35 60 





Step 2 
You must restart your network for the change to take effect. The command to restart the network 
is the following: 


e To restart all network devices manually on your system, use the following command: 
[root@deep /]# /etc/re.d/init.d/network restart 


Setting network parameters [OK] 
Bringing up interface lo [OK] 
Bringing up interface eth0 [OK] 
Bringing up interface ethl [OK] 








WARNING: Only change these values on systems with multiple processors (SMP) or on small 
systems (single processor) with less than 16MB of RAM. Recall that on small systems the both 
values must be set to 0 (vm.pagetable_cache = 0 0). 





There is another way to update the entry without restarting the network by using the following 
command into your terminal screen: 
[root@deep /]# sysctl -w vm.pagetable_cache="35 60” 





/proc/sys/fs: The file system data of Linux 

All parameters described later in this chapter reside under the /proc/sys/fs directory of the 
server and can be used to tune and monitor miscellaneous things in the operation of the Linux 
kernel. Be very careful when attempting this. You can optimize your system, but you can also 
cause it to crash. Since every system is different, you'll probably want some control over these 
pieces of the system. 


Finally, these are advanced settings and if you don’t understand them, then don’t try to play in 


this area or try to use all examples below directly in your systems. Remember that all systems are 
different and required different setting and customization. 
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Below | show you only parameters that can be optimized for the system. All suggestions | 
enumerate in this section are valid for every kind of servers. The only difference depends of the 
amount of MB of RAM your machines have and this is where settings will change. 


- binfmt_misc -- | - register 
| - status 

- dentry-state 

— dir-notify-enable 

— dquot-max 

- dquot-nr 

— file-max 

(proc/syS/fS S=-=H-—=S—- =e — file-nr 

— inode-nr 

- inode-state 

- lease-break-time 

- lease-enable 

- overflowgid 

— overflowuid 

— super-max 

— super-nr 





The above figure shows a snapshot of /proc/sys/fs directory on a Red Hat Linux system 
running kernel version 2.4. Please note that this picture may look different on your system. 


The £ile-max parameter 

The file-max file /proc/sys/fs/file-max sets the maximum number of file-handles that 
the Linux kernel will allocate. We generally tune this file to improve the number of open files by 
increasing the value of /proc/sys/fs/file-max to something reasonable like 256 for every 
4M of RAM we have: i.e. for a machine with 256 MB of RAM, set it to 16384 (256/4=64 
64*256=16384). 


The default setup for the £11e-max parameter under Red Hat Linux is: 
"g192" 


Step 1 
To adjust the value of £ile-max to 256 MB of RAM, type the following on your terminal: 


e Edit the sysctl.conf file (vi /etc/sysct1l.conf) and add the following line: 


# Improve the number of open files 
fs.file-max = 16384 


Step 2 
You must restart your network for the change to take effect. The command to restart the network 
is the following: 


e To restart all network devices manually on your system, use the following command: 
[root@deep /]# /etc/re.d/init.d/network restart 


Setting network parameters [OK] 
Bringing up interface lo [OK] 
Bringing up interface eth0 [OK] 
Bringing up interface ethl [OK] 
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WARNING: When you regularly receive from your server a lot of messages with errors about 
running out of open files, you might want to raise this limit. The default value is 8192. A file server 


or web server needs a lot of open files. 


There is another way to update the entry without restarting the network by using the following 


command into your terminal screen: 


[root@deep /]# sysctl -w fs.file-max=16384 





Other possible optimization of the system 

All information described below relates to other possible tuning we can make on the system. Be 
very careful when attempting this. You can optimize your system, but you can also cause it to 
crash. Since every system is different, you'll probably want some control over this part of the 


system. 


The ulimit parameter 


Linux itself has a “Max Processes” per user limit. This feature allows us to control the number of 
processes an existing user on the server may be authorized to have. To improve performance, 
we can safely set the limit of processes for the super-user “root” to be unlimited. 


Step 1 


e Editthe .bashre file (vi /root/.bashrc) and add the following line: 


ulimit -u unlimited 


The ulimit parameter provides control over the resources available to the shell and to 


processes started by it. 








NOTE: You must exit and re-login from your terminal for the change to take effect. 





Step 2 


To verify that you are ready to go, make sure that when you type as root the command ulimit 
-a on your terminal, it shows "unlimited" next to max user processes. 


[root@deep /]# ulimit -a 


core file size (blocks) 
data seg siz (kbytes) 
file size (blocks) 

max locked memory (Kbytes) 
max memory size (kbytes) 
open files 

pipe size (512 bytes) 
stack size (kbytes) 

cpu time (seconds) 

max user processes 
virtual memory (kbytes) 





1000000 
unlimited 
unlimited 
unlimited 
unlimited 
1024 

8 

8192 
unlimited 
unlimited € this line 
unlimited 
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NOTE: You may also do ulimit -u unlimited at the command prompt instead of adding it to 
the /root/.bashrc file but the value will not survive to a reboot. 





The atime attribute 

Linux records information about when files were created and last modified as well as when it was 
last accessed. There is a cost associated with recording the last access time. The ext2 file 
system of Linux has an attribute that allows the super-user to mark individual files such that their 
last access time is not recorded. This may lead to significant performance improvements on often 
accessed, frequently changing files such as the contents of News Server, Web Server, Proxy 
Server, Database Server among other directories. 


e To set the attribute to a file, use: 
[root@deep /]# chattr +A filename € For a specific file 


For a whole directory tree, do something like: 


[root@deep /root]# chattr -R +A /var/spool € For a News and Mail Server directory 
[root@deep /root]# chattr -R +A /cache € For a Proxy Caches directory 
[root@deep /root]# chattr -R +A /home/httpd/openna € Fora Web Server directory 
[root@deep /root]# chattr -R +A /var/1lib/mysql € For a SQL Database directory 


The noatime attribute 

Linux has a special mount option for file systems called noatime that can be added to each line 
that addresses one file system in the /etc/fstab file. If a file system has been mounted with 
this option, reading accesses to the file system will no longer result in an update to the atime 
information associated with the file like we have explained previously. The importance of the 
noatime Setting is that it eliminates the need by the system to make writes to the file system for 
files, which are simply being read. Since writes can be somewhat expensive, this can result in 
measurable performance gains. Note that the write time information to a file will continue to be 
updated anytime the file is written to. In our example below, we will set the noatime option to our 
/chroot file system. 


Step 1 
e Edit the fstab file (vi /etc/fstab) and add in the line that refers to the /chroot file 
system, the noatime option after the defaults option as show below: 





LABEL=/chroot /chroot ext2 defaults,noatime i 2 


Step 2 
Once you have made the necessary adjustments to the /etc/fstab file, it is time to inform the 
Linux system about the modification. 


e This can be accomplished with the following commands: 
[root@deep /]# mount /chroot -oremount 


Each file system that has been modified must be remounted with the command show above. In 


our example we have modified the /chroot file system and it is for this reason that we remount 
this file system with the above command. 
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Step 3 
e You can verify if the modifications have been correctly applied to the Linux system with 


the following command: 
[root@deep /]# cat /proc/mounts 





/dev/root /  ext2 rw 0 0 

/proc/proc proc rw 0 0 

/dev/sdal /boot ext2 rw 0 0 
/dev/sdal0 /cache ext2 rw,nodev 0 0 
/dev/sda9 /chroot ext2 rw,noatime 0 0 
/dev/sda8 /home ext2 rw,nosuid 0 0 
/dev/sdal3 /tmp ext2 rw,noexec,nosuid 0 0 
/dev/sda7 /usr ext2 rw 0 0 
/dev/sdall /var ext2 rw 0 0 
/dev/sdal2 /var/lib ext2 rw 0 0 

none /dev/pts devpts rw 0 0 


This command will show you all file system in your Linux server with parameters applied to them. 
If you see something like: 


/dev/sdall /chroot ext2 rw,noatime 0 0 


Congratulations! 
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Part Ill Networking Related Reference 
In this Part 


Networking - TCP/IP Network Management 
Networking - Firewall IPTABLES Packet Filter 
Networking - Firewall Masquerading & Forwarding 


The last line before going into program security, optimization and installation is the networking 
part of the Linux system. The next three chapters bring us where we will check, secure and test 
our network before implementing the iptables firewall packet filter of Linux, which will build a 
fortress around our secure server. 
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7 Networking - TCP/IP Network Management 
In this Chapter 


TCP/IP security problem overview 

Installing more than one Ethernet Card per Machine 
Files-Networking Functionality 

Securing TCP/IP Networking 

Optimizing TcP/1IP Networking 

Testing TCP/IP Networking 

The last checkup 
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Linux TCP/IP Network Management 


Abstract 

This chapter has been inserted here because it is preferable not to be connected to the network if 
the parts "Installation-Related Reference" and "Security and Optimization-Related Reference" of 
the book have not been completed. It is not wise to apply new security configurations to your 
system if you are online. Also, don’t forget that the firewall, which represents 50% of networking 
security, is still not configured on the Linux server. Finally it is very important and | say VERY 
IMPORTANT that you check all configuration files related to Linux networking to be sure that 
everything is configured correctly. Please follow all recommendations and steps in this chapter 
before continuing reading this book. This will allow us to be sure that if something goes wrong in 
the other chapters, it will be not related to your networking configurations. 


e To stop specific network device manually on your system, use the following command: 
root@deep / ifdown eth0O 


e To start specific network device manually on your system, use the following command: 
root@deep / ifup etho 


e To stop all network devices manually on your system, use the following command: 
root@deep / /etc/re.d/init.d/network stop 

Shutting down interface eth0O [OK] 

Disabling IPv4 packet forwarding [OK] 











e To start all network devices manually on your system, use the following command: 
[root@deep /]# /ete/re.d/init.d/network start 








Enabling IPv4 packet forwarding [OK] 
Bringing up interface lo [OK] 
Bringing up interface eth0 [OK] 


Until now, we have not played with the networking capabilities of Linux. Linux is one of the best 
operating systems in the world for networking features. Most Internet sites around the world 
already know this, and have used it for some time. Understanding your network hardware and all 
the files related to it is very important if you want to have a full control of what happens on your 
server. Good knowledge of primary networking commands is vital. Network management covers 
a wide variety of topics. In general, it includes gathering statistical data and monitoring the status 
of parts of your network, and taking action as necessary to deal with failures and other changes. 


The most primitive technique for network monitoring is periodic "pinging" of critical hosts. More 
sophisticated network monitoring requires the ability to get specific status and statistical 
information from a range of devices on the network. These should include various sorts of 
datagram counts, as well as counts of errors of different kinds. For these reasons, in this chapter 
we will try to answer fundamental questions about networking devices, files related to network 
functionality, and essential networking commands. 
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TCP/IP security problem overview 

It is assumed that the reader is familiar with the basic operation of the TCP/IP protocol suite, 
which includes IP and TcP header field functions and initial connection negotiation. For the 
uninitiated, a brief description of TCP/IP connection negotiation is given below. The user is 
strongly encouraged however to research other published literature on the subject. 


The IP Packets 

The term packet refers to an Internet Protocol (IP) network message. It's the name given to a 
single, discrete message or piece of information that is sent across an Ethernet network. 
Structurally, a packet contains an information header and a message body containing the data 
being transferred. The body of the IP packet- it's data- is all or a piece (a fragment) of a higher- 
level protocol message. 


The IP mechanism 
Linux supports three IP message types: ICMP, UDP, and TCP. An Icmp (Internet Control 
Message Protocol) packet is a network-level, IP control and status message. 


ICMP messages contains information about the communication between the two end-point 
computers. 


A ubP (User Datagram Protocol) IP packet carries data between two network-based programs, 
without any guarantees regarding successful delivery or packet delivery ordering. Sending a UDP 
packet is akin to sending a postcard to another program. 


A TCP (Transmission Control Protocol) IP packet carries data between two network-based 
programs, as well, but the packet header contains additional state information for maintaining an 
ongoing, reliable connection. Sending a TCP packet is akin to carrying on a phone conversation 
with another process. Most Internet network services use the TCP communication protocol rather 
than the UDP communication protocol. In other words, most Internet services are based on the 
idea of an ongoing connection with two-way communication between a client program and a 
server program. 


The IP packet headers 

All IP packet headers contain the source and destination IP addresses and the type of IP 
protocol message (ICMP, UDP or TCP) this packet contains. Beyond this, a packet header 
contains slightly different fields depending on the protocol type. IcMP packets contain a type field 
identifying the control or status message, along with a second code field for defining the message 
more specifically. UDP and TCP packets contain source and destination service port numbers. 
TCP packets contain additional information about the state of the connection and unique 
identifiers for each packet. 


The TCP/IP Security Problem 

The TCP/IP protocol suite has a number of weaknesses that allows an attacker to leverage 
techniques in the form of covert channels to surreptitiously pass data in otherwise benign 
packets. This section attempts to illustrate these weaknesses in theoretical examples. 
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Application 

A covert channel is described as: "any communication channel that can be exploited by a process 
to transfer information in a manner that violates the systems security policy. Essentially, itis a 
method of communication that is not part of an actual computer system design, but can be used 
to transfer information to users or system processes that normally would not be allowed access to 
the information. 


In the case of TCP/IP, there are a number of methods available whereby covert channels can be 
established and data can be surreptitiously passed between hosts. These methods can be used 
in a variety of areas such as the following: 


¥ Bypassing packet filters, network sniffers, and "dirty word" search engines. 


¥ _Encapsulating encrypted or non-encrypted information within otherwise normal packets of 
information for secret transmission through networks that prohibit such activity "TCP/IP 
Steganography". 


¥  Concealing locations of transmitted data by "bouncing" forged packets with encapsulated 
information off innocuous Internet sites. 


It is important to realize that TCP is a "connection oriented" or "reliable" protocol. Simply put, TCP 
has certain features that ensure data arrives at the remote host in a usually intact manner. The 
basic operation of this relies in the initial TCP "three way handshake" which is described in the 
three steps below. 


Step 1 
Send a synchronize (SYN) packet and Initial Sequence Number (ISN) 


Host A wishes to establish a connection to Host B. Host A sends a solitary packet to Host B with 
the synchronize bit (SYN) set announcing the new connection and an Initial Sequence Number 
(ISN) which will allow tracking of packets sent between hosts: 


Host..A. ‘SS os- SYN(ISN) ------ > Host B 


Step 2 
Allow remote host to respond with an acknowledgment (ACK) 


Host B responds to the request by sending a packet with the synchronize bit set (SYN) and ACK 
(acknowledgment) bit set in the packet back to the calling host. This packet contains not only the 
responding clients' own sequence number, but the Initial Sequence Number plus one (ISN+1) to 
indicate the remote packet was correctly received as part of the acknowledgment and is awaiting 
the next transmission: 


Host A <------ SYN (ISN+1) /ACK ------ Host B 
Step 3 
Complete the negotiation by sending a final acknowledgment to the remote host. 


At this point Host A sends back a final ACK packet and sequence number to indicate successful 
reception and the connection is complete and data can now flow: 


Host A - -- ACK -- -> Host B 
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The entire connection process happens in a matter of milliseconds and both sides independently 
acknowledge each packet from this point. This handshake method ensures a "reliable" 
connection between hosts and is why TCP is considered a "connection oriented" protocol. 


It should be noted that only TCP packets exhibit this negotiation process. This is not so with UDP 
packets which are considered "unreliable" and do not attempt to correct errors nor negotiate a 
connection before sending to a remote host. 


Encoding Information in a TCP/IP Header 

The TCP/IP header contains a number of areas where information can be stored and sent toa 
remote host in a covert manner. Take the following diagrams, which are textual representations of 
the IP and TCP headers respectively: 


IP Header (Numbers represent bits of data from 0 to 32 and the relative position of the fields in 
the datagram) 


8 4 § 16 19 24 a2 
| VERS | HLEW | Service Type | Total length | 
| Identification | Flags | Fragment Offset | 


| Source IP Address | 


TCP Header (Numbers represent bits of data from 0 to 32 and the relative position of the fields in 
the datagram) 


| HLEN | Reserved | Code Bits | Window | 
ft.: ft Checksum =—s|—SsUr gent Pointer | 
i ied eae Options  =—‘|, Padding | 
Pet pata | 
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Within each header there are multitudes of areas that are not used for normal transmission or are 
"optional" fields to be set as needed by the sender of the datagrams. An analysis of the areas of a 
typical IP header that are either unused or optional reveals many possibilities where data can be 

stored and transmitted. 


The basis of the exploitation relies in encoding ASCII values of the range 0-255. Using this 
method it is possible to pass data between hosts in packets that appear to be initial connection 
requests, established data streams, or other intermediate steps. These packets can contain no 
actual data, or can contain data designed to look innocent. These packets can also contain 
forged source and destination IP addresses as well as forged source and destination ports. 


This can be useful for tunneling information past some types of packet filters. Additionally, forged 
packets can be used to initiate an anonymous TCP/IP "bounced packet network" whereby 
packets between systems can be relayed off legitimate sites to thwart tracking by sniffers and 
other network monitoring devices. 


Implementations of Security Solutions 
The following protocols and systems are commonly used to solve and provide various degrees of 
security services in a computer network. 


IP filtering 

Network Address Translation (NAT) 

IP Security Architecture (IPSec) 

SOCKS 

Secure Sockets Layer (SSL) 

Application proxies 

Firewalls 

Kerberos and other authentication systems (AAA servers) 
Secure Electronic Transactions (SET) 





This graph illustrates where those security solutions fit within the TCP/IP layers: 


- S-MIME 

= Kerberos 

—- Proxies 

- SET 

- IPSec (ISAKMP) 







Applications 








TCP/UDP -SOCKS 
(Transport) -SSL, TLS 


- IPSec (AH, ESP) 
- Packet filtering 
= Tunneling protocols 






iP 
(Internetwork) 


Network interface = CHAP, PAP, MS-CHAP 


(Data Link) 





Security Solutions in the TCP/IP Layers 
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Installing more than one Ethernet Card per Machine 

You might use Linux as a gateway between two Ethernet networks. In that case, you might have 
two Ethernet cards on your server. To eliminate problems at boot time, the Linux kernel doesn't 
detect multiple cards automatically. If you happen to have two or more cards, you should specify 
the parameters of the cards in the 1i10.conf file for a Monolithic kernel or in the 
modules.conf file for a Modularized kernel. The following are problems you may encounter with 
your network cards. 


Problem 1 

If the driver(s) of the card(s) is/are being used as a loadable module (Modularized kernel), in the 
case of PCI drivers, the module will typically detect all of the installed cards automatically. For 
ISA cards, you need to supply the I/O base address of the card so the module knows where to 
look. This information is stored in the file /etc/modules.conf. 


As an example, consider we have two ISA 3c509 cards, one at I/O 0x300 and one at I/O 0x320. 


e For ISA cards, edit the modules.conf file (vi /etc/modules.conf) and add: 


alias ethO 3c509 
alias ethl 3c509 
options 3c509 i10=0x300,0x320 


This says that the 3c509 driver should be loaded for either ethO or eth1 (alias ethO, eth1) and it 
should be loaded with the options io=0x300,0x320 so that the drivers knows where to look for the 
cards. Note that Ox is important — things like 300h as commonly used in the DOS world won’t 
work. 


For PCI cards, you typically only need the alias lines to correlate the ethN interfaces with the 
appropriate driver name, since the I/O base of a PCI card can be safely detected. 


e For PCl cards, edit the modules.conf file (vi /etc/modules.conf) and add: 


alias eth0O 3c509 
alias ethl 3c509 


Problem 2 

If the drivers(s) of the card(s) is/are compiled into the kernel (Monolithic kernel), the PCI probes 
will find all related cards automatically. ISA cards will also find all related cards automatically, but 
in some circumstance ISA cards still need to do the following. This information is stored in the file 
/etc/lilo.conf. The method is to pass boot-time arguments to the kernel, which is usually 
done by LILO. 


e For ISA cards, edit the lilo.conf file (vi /etc/lilo.conf) and add: 


append="ether=0,0,eth1” 





In this case ethO and eth1 will be assigned in the order that the cards are found at boot. 
Remember that this is required only in some circumstance for ISA cards, PCI cards will be found 
automatically. 








NOTE: First test your ISA cards without the boot-time arguments in the 1ilo.conf file, and if this 
fails, use the boot-time arguments. 
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Files-Networking Functionality 

In Linux, the TCP/IP network is configured through several text files. You may have to edit them 
to make the network work. It’s very important to know the configuration files related to TCP/IP 
networking, so that you can edit and configure the files if necessary. Remember that our server 
doesn’t have an Xwindow interface (GUI) to configure files via a graphical interface. Even if you 
use a GUI in your daily activities it is important to know how to configure the network 
configuration files in text mode. The following sections describe all the basic TCP/IP 
configuration files under Linux. 


The /etc/sysconfig/network-scripts/ifcfg-—ethn files 

The configuration files for each network device you may have or want to add on your system are 
located in the /etc/sysconfig/network-scripts directory with Red Hat Linux, and are 
named ifcfg-eth0 for the first interface and ifc£g-eth1 for the second, etc. It is 
recommended to verify if all the parameters in this file are correct. 


Following is asample /etc/sysconfig/network-scripts/ifcfg-eth0 file: 





EVICE=eth0 
OOTPROTO=static 
ROADCAST=208.164.186.255 
PADDR=208.164.186.1 
ETMASK=255.255.255.0 

FE TWORK=208.164.186.0 
BOOT=yes 

ERCTL=no 




















SOZZHwwWYU 


n 











If you want to modify your network address manually, or add a new one on a new interface, edit 
this file (1 £c£g-ethN), or create a new one and make the appropriate changes. 











DEVICE=devicename, where devicename is the name of the physical network device. 





BOOTPROTO=proto, where proto is one of the following: 


static - The default option of Linux (static IP address) sould be used. 
none - No boot-time protocol should be used. 

bootp - The bootp (now pump) protocol should be used. 

dhcp - The dhcp protocol should be used. 


BROADCAST=broadcast, where broadcast is the broadcast IP address. 


EI 


PADDR=ipaddr, where ipadadr is the IP address. 





NETMASK=netmask, where netmask is the netmask IP value. 








NETWORK=network, where network is the network IP address. 





ONBOOT=answer, where answer is yes or no (Does the interface will be active or inactive at boot time). 








USERCTL=answer, where answer is one of the following: 





e — yes (Non-root users are allowed to control this device). 
e no (Only the super-user root is allowed to control this device). 
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The /etc/resolv.conf file 

This file /etc/resolv.conf Is another text file, used by the resolver—a library that determines 
the IP address for a host name. It is recommended to verify if all parameters included in this file 
are corrects. 


Following is asample /etc/resolv.conf file: 


domain openna.com 

search nsl.openna.com ns2.openna.com openna.com 
nameserver 208.164.186.1 

nameserver 208.164.186.2 

nameserver 127.0.0.1 








NOTE: Name servers are queried in the order they appear in the file (primary, secondary). 





The /etc/host.conf file 

This file /etc/host.conf specifies how names are resolved. Linux uses a resolver library to 
obtain the IP address corresponding to a host name. It is recommended to verify that all 
parameters included in this file are correct. 


Following is asample /etc/host.conf file: 


# Lookup names via /etc/hosts first then fall back to DNS resolver. 
order hosts,bind 

# We have machines with multiple addresses. 

multi on 


The order option indicates the order of services. The sample entry specifies that the resolver 
library should first consult the /etc/hosts file of Linux to resolve a name and then check the 
name server (DNS). 


The multi option determines whether a host in the /etc/hosts file can have multiple IP 
addresses (multiple interface ethN). Hosts that have more than one IP address are said to be 
multihomed, because the presence of multiple IP addresses implies that the host has several 
network interfaces. 


The /etc/sysconfig/network file 

The /etc/sysconfig/network file is used to specify information about the desired network 
configuration on your server. It is recommended that you verify all the parameters included in this 
file are correct. 


Following is a sample /etc/sysconfig/network file: 





NETWORKING=yes 
HOSTNAME=deep 
GATEWAY=207.35.78.1 
GATEWAYDEV=eth0O 
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The following values may be used: 





NETWORKING=answer, where answer is yes or no (Configure networking or not configure networking). 


HOSTNAME=hostname, where hostname is the hostname of your server. 








GATEWAY=gwip, where gwip is the IP address of the remote network gateway (if available). 














GATEWAYDEV=gwdev, where gwdevis the device name (eth#) you use to access the remote gateway. 





The /etc/sysctl.conf file 

With the new version of Red Hat Linux, all kernel parameters available under the /proc/sys/ 
subdirectory of Linux can be configured at runtime. You can use the new /etc/sysctl.conf 
file to modify and set kernel parameters at runtime. The sysct1l.conf file is read and loaded 
each time the system reboots or when you restart your network. All settings are now stored in the 
/etc/sysctl.conf file. All modifications to /proc/sys should be made through 
/etc/sysctl.conf, because they are better for control, and are executed before rc. local or 
any other "users" scripts. 





Below, we'll focus only on the kernel option for IP v4 forwarding support. See later in this chapter 
the TCP/IP security parameters related to the sysct1l.conf file. 


To enable I1Pv4 forwarding on your Linux system, use the following command: 


Step 1 
e Edit the sysctl.conf file(vi /etc/sysct1l.conf) and add the following line: 





# Enable packet forwarding (required only for Gateway, VPN, Proxy, PPP) 
net.ipv4.ip_forward = 1 


Step 2 
You must restart your network for the change to take effect. The command to restart the network 
is the following: 


e To restart all network devices manually on your system, use the following command: 
[root@deep /]# /etc/re.d/init.d/network restart 


Setting network parameters [OK] 

Bringing up interface lo [OK] 

Bringing up interface eth0 [OK] 
[ 


Bringing up interface ethl OK] 








WARNING: You must enable packet forwarding only on a machine that serves as a Gateway 
Server, VPN Server, Proxy Server or with PPP connection. Forwarding allows packets that are 
destined for another network interface (if you have another one) to pass through the network. 


There is another way to update the entry without restarting the network by using the following 
command into your terminal screen: 
[root@deep /]# sysctl -w net.ipv4.ip_forward=1 
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The /etc/hosts file 

As your machine gets started, it will need to know the mapping of some hostnames to IP 
addresses before DNS can be referenced. This mapping is kept in the /etc/hosts file. In the 
absence of a name server, any network program on your system consults this file to determine 
the IP address that corresponds to a host name. 


Following is asample /etc/hosts file: 


IP Address Hostname Alias 
127.0.0.1 localhost.localdomain localhost 
208.164.186.1 deep.openna.com deep 
208.164.186.2 mail.openna.com mail 
208.164.186.3 web.openna.com web 


The leftmost column is the IP address to be resolved. The next column is that host’s name. Any 
subsequent columns are the aliases for that host. In the second line, for example, the IP address 
208.164.186.1 if for the host deep. openna.com. Another name for deep. openna. com is 
deep. 








WARNING: Some people have reporting that a badly formed line in the /etc/hosts file may result 
to a "Segmentation fault (core dumped)" with the syslogd daemon, therefore | recommend you 
to double check your entry under this file and be sure that its respond to the example as shown 
above. The “Alias” part of the line is important if you want to be able to use the FQDN (Fully 
Qualified Domain Name) of the system reported by the hostname -f command. 





After you are finished adding and configuring your networking files, don’t forget to restart your 
network for the changes to take effect. 


e Torestart your network, use the following command: 
[root@deep /]# /etc/re.d/init.d/network restart 


Setting network parameters [OK] 
Bringing up interface lo [OK] 
Bringing up interface eth0 [OK] 
Bringing up interface ethl [OK] 








WARNING: Time out problems for telnet or ftp connection are often caused by the server trying 
to resolve the client IP address to a DNS name. Either DNS isn’t configured properly on your 
server or the client machines aren’t known to the DNS server. If you intend to run telnet or ftp 
services on your server, and aren't using DNS, don’t forget to add the client machine name and 
IP in your /etc/hosts file on the server or you can expect to wait several minutes for the DNS 
lookup to time out, before you get a login prompt. 
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Securing TCP/IP Networking 

In Red Hat Linux, many kernel options related to networking security such as dropping packets 
that come in over interfaces they shouldn't or ignoring ping/broadcasts request, etc can be set in 
the new /etc/sysctl.conf file instead of the /etc/rc.d/rc.local file. The sysctl 
settings are stored in /etc/sysctl.conf, and are loaded at each boot or networking restart 
before the /etc/rc.d/rc.local file is loaded. 


Below, we show you the networking security options that you must definitely configure on your 
server. To display all sysct1 values currently available use the “sysct1 -a” command. 


/proc/sys/net/ipv4: IPV4 settings of Linux 

All parameters described below reside under the /proc/sys/net/ipv4 directory of the server 
and can be used to control the behavior of the IPv4 subsystem of the Linux kernel. Below | show 
you only the parameters, which can be used for the network security of the system. 


= feont === | = gall =s-sss-= — accept_redirects 
| = /déefault --= —- accept_source_route 
|i = fen) =---=== —- bootp_relay 
| - flo --------- — forwarding 


- log_martians 

— mc_forwarding 

— proxy_arp 

— rp_filter 

—- secure_redirects 
—- send_redirects 

- shared_media 

- tag 





- icmp_destunreach_rate 
-— icmp_echo_ignore_all 
- icmp_echo_ignore_broadcasts 
— icmp_echoreply_rate 

- icmp_ignore_bogus_error_responses 
/proc/sys/net/ipv4 ------- -— icmp_paramprob_rate 

- icmp_timeexceed_rate 
- inet_peer_gc_maxtime 
- inet_peer_gc_mintime 
— inet_peer_maxttl 

— inet_peer_minttl 

- inet_peer_threshold 

— ip_autoconfig 

—- ip_default_ttl 

- ip_dynaddr 

- ip_forward 

— ip_local_port_range 

— ip_no_pmtu_disc 

- ip_nonlocal_bind 

- ipfrag_high_thresh 

- ipfrag_low_thresh 

- ipfrag_time 








- /neigh - | - /default ---- - anycast_delay 
| - fethoO --- —- app_solicit 
|i Se FLO" HaR == - base_reachable_time 


- delay_first_probe_time 
—- gc_interval 

— gc_stale_time 

- gc_threshl 

—- gc_thresh2 

— gc_thresh3 

— locktime 

=— Meast_ solicit 

— proxy_delay 

- proxy_qlen 
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| - retrans_time 
| - ucast_solicit 
| - unres_qlen 


- anycast_delay 

— app_solicit 

- base_reachable_time 
— delay_first_probe_time 
— gc_stale_time 

— locktime 

-— mcast_solicit 

— proxy_delay 

—- proxy_qlen 

— retrans_time 

= ucast solicit 

—- unres_qlen 








- /route -- | - error_burst 

- error_cost 

- flush 

-— gc_elasticity 

-— gc_interval 

— gc_min_interval 
- gc_thresh 

— gc_timeout 

—- max_delay 

— max_size 

— min_adv_mss 

— min_delay 

—- min_pmtu 

— mtu_expires 

— redirect_load 

— redirect_number 
-— redirect_silence 





- tcp_abort_on_overflow 
— tcp_adv_win_scale 

— tcp_app_win 

— tcp_dsack 

- tcp_fack 

— tcep_fin_timeout 

— tcp_keepalive_intvl 
— tcp_keepalive_probes 
-— tcp_keepalive_time 

- tcp_max_orphans 

- tcp_max_syn_backlog 
- tcp_max_tw_buckets 

- tcp_mem 

— tcp_orphan_retries 

— tcp_reordering 

- tcp_retrans_collapse 
-— tcp_retriesl 

— tcp_retries2 

- tep_rfcl337 

—- tcp_rmem 

-— tcp_sack 

- tcp_stdurg 

— tcp_syn_retries 

— tcp_synack_retries 

— tcp_syncookies 

— tcp_timestamps 

- tcp_tw_recycle 

- tcp_window_scaling 

- tcp_wmem 
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Prevent your system responding to ping request 

Preventing your system for responding to ping request can make a big improvement in your 
network security since no one can ping your server and receive an answer. The TCP/IP 
protocol suite has a number of weaknesses that allows an attacker to leverage techniques in the 
form of covert channels to surreptitiously pass data in otherwise benign packets. Preventing your 
server from responding to ping requests can help to minimize this problem. Not responding to 
pings would at least keep most "crackers" out because they would never even know it's there. 


Step 1 
e §6Edit the sysct1l.conf file (vi /etc/sysct1.conf) and add the following line: 





# Enable ignoring ping request 
net.ipv4.icmp_echo_ignore_all = 1 


Step 2 
Once the configuration has been set, you must restart your network for the change to take effect. 
The command to restart the network is the following: 


e To restart all network devices manually on your system, use the following command: 
[root@deep /]# /etc/re.d/init.d/network restart 


Setting network parameters [OK] 
Bringing up interface lo [OK] 
Bringing up interface eth0 [OK] 
Bringing up interface ethl [OK] 








NOTE: There is another way to update the entry without restarting the network by using the 
following command into your terminal screen: 
[root@deep /]# sysctl -w net.ipv4.icmp_echo_ignore_all=1 





Refuse responding to broadcasts request 

As for the ping request, it’s also important to disable broadcast requests. When a packet is 
sent to an IP broadcast address (i.e. 192.168.1.255) from a machine on the local network, 
that packet is delivered to all machines on that network. Then all the machines on a network 
respond to this IcMP echo request and the result can be severe network congestion or outages 
(Denial-of-Service attacks). See the RFC 2644 for more information. 


Step 1 
e Edit the sysct1.conf file (vi /etc/sysct1.conf) and add the following line: 





# Enable ignoring broadcasts request 
net.ipv4.icmp_echo_ignore_broadcasts = 1 
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Step 2 
Once the configuration has been set, you must restart your network for the change to take effect. 
The command to restart the network is the following: 


e To restart all networks devices manually on your system, use the following command: 
[root@deep /]# /etc/re.d/init.d/network restart 
Setting network parameters [OK] 


Bringing up interface lo [OK] 
Bringing up interface eth0 [OK] 
Bringing up interface ethl [OK] 








NOTE: There is another way to update the entry without restarting the network by using the 
following command into your terminal screen: 
[root@deep /]# sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 





Routing Protocols 

Routing and routing protocols can create several problems. IP source routing, where an IP packet 
contains details of the path to its intended destination, is dangerous because according to RFC 
1122 the destination host must respond along the same path. If an attacker was able to senda 
source routed packet into your network, then he would be able to intercept the replies and fool 
your host into thinking it is communicating with a trusted host. 


| strongly recommend that you disable IP source routing on all network interfaces on the system 
to protect your server from this hole. In the configuration below, we disable IP source routing on 
all interfaces on the system even for the interface eth1, which represents your second network 
card if you have one. If eth1i doesn’t exist on your system, then omit the line related to eth1 in 
your sysctl.conf file. 


Step 1 
To disable IP source routing on your server, type the following command in your terminal: 


e =6Edit the sysct1.conf file (vi /etc/sysct1.conf) and add the following lines: 


# Disables IP source routing 
net.ipv4.conf.all.accept_source_route = 0 
net.ipv4.conf.lo.accept_source_route = 0 
net.ipv4.conf.ethO.accept_source_route = 0 
net.ipv4.conf.ethl.accept_source_route = 0 
net.ipv4.conf.default.accept_source_route = 0 


Step 2 
Once configurations have been set, you must restart your network for the change to take effect. 
The command to restart the network is the following: 


e To restart all network devices manually on your system, use the following command: 
[root@deep /]# /etc/re.d/init.d/network restart 
Setting network parameters [OK] 


Bringing up interface lo [OK] 
Bringing up interface eth0 [OK] 
Bringing up interface ethl [OK] 
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NOTE: This parameter is dependent on the kernel configuration. If the kernel is configured for a 
regular host the default setting 'yes' for this parameter can be acceptable and 'no' must be set for 
a router configuration. 1 means yes, 0 means no. 


There is another way to update the entry without restarting the network by using the following 
command into your terminal screen: 

[root@deep /]# sysctl -w net.ipv4.conf.all.accept_source_route=0 

root@deep /]# sysctl -w net.ipv4.conf.lo.accept_source_route=0 


[ ] 

[root@deep /]# sysctl -w net.ipv4.conf.eth0O.accept_source_route=0 
[root@deep /]# sysctl -w net.ipv4.conf.ethl.accept_source_route=0 
[root@deep /]# sysctl -w net.ipv4.conf.default.accept_source_route=0 





Enable TCP SYN Cookie Protection 

A "SYN Attack" is a Denial of Service (DoS) attack that consumes all the resources on your 
machine, forcing you to reboot. Denials of Service attacks (attacks which incapacitate a server 
due to high traffic volume or ones that tie-up system resources enough that the server cannot 
respond to a legitimate connection request from a remote system) are easily achievable from 
internal resources or external connections via extranets and Internet. Enabling TCP SYN Cookie 
Protection will help to eliminate the problem. 


Step 1 
e Edit the sysct1l.conf file (vi /etc/sysct1.conf) and add the following line: 


# Enable TCP SYN Cookie Protection 
net.ipv4.tcp_syncookies = 1 





Step 2 
Once the configuration has been set, you must restart your network for the change to take effect. 
The command to restart the network is the following: 


e To restart all network devices manually on your system, use the following command: 
[root@deep /]# /etc/re.d/init.d/network restart 
Setting network parameters [OK] 


Bringing up interface lo [OK] 
Bringing up interface eth0 [OK] 
Bringing up interface ethl [OK] 








WARNING: If you receive an error message during execution of the above command, check that 
you have enable the TCP syncookies option in your kernel configuration: IP: TCP syncookie 
support (not enabled per default) (CONFIG_SYN_COOKIES) [N/y/?]. 








There is another way to update the entry without restarting the network by using the following 
command into your terminal screen: 
[root@deep /]# sysctl -w net.ipv4.tcp_syncookies=1 
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Disable IcmP Redirect Acceptance 

When hosts use a non-optimal or defunct route to a particular destination, an ICMP redirect 
packet is used by routers to inform the hosts what the correct route should be. If an attacker is 
able to forge ICMP redirect packets, he or she can alter the routing tables on the host and 
possibly subvert the security of the host by causing traffic to flow via a path you didn't intend. It’s 
strongly recommended to disable IcMP Redirect Acceptance into all available interfaces on the 
server to protect it from this hole. In the configuration below, we disable the IcmP redirect 
acceptance for all possible interfaces on the system, even for the interface eth1, which 
represents your second network card if you have one. If eth1 doesn’t exist on your system, then 
omit the line related to eth1 in your sysctl.conf file. 


Step 1 
e =6Edit the sysct1.conf file (vi /etc/sysct1.conf) and add the following lines: 





# Disable ICMP Redirect Acceptanc 
net.ipv4.conf.all.accept_redirects = 0 
net.ipv4.conf.lo.accept_redirects = 0 
net.ipv4.conf.ethO.accept_redirects = 0 
net.ipv4.conf.ethl.accept_redirects = 0 
net.ipv4.conf.default.accept_redirects = 0 

















Step 2 
Once configurations have been set, you must restart your network for the change to take effect. 
The command to restart the network is the following: 


e To restart all networks devices manually on your system, use the following command: 
[root@deep /]# /etc/re.d/init.d/network restart 


Setting network parameters [OK] 
Bringing up interface lo [OK] 
Bringing up interface eth0 [OK] 
Bringing up interface ethl [OK] 








NOTE: If the kernel is configured for a regular host the default setting 'yes' for this parameter can 
be acceptable and 'no' must be made for a router configuration. 1 means yes, 0 means no. 


There is another way to update the entry without restarting the network by using the following 
command into your terminal screen: 

[root@deep /]# sysctl -w net.ipv4.conf.all.accept_redirects=0 

root@deep /]# sysctl -w net.ipv4.conf.lo.accept_redirects=0 

















[ ] 

[root@deep /]# sysctl -w net.ipv4.conf.eth0O.accept_redirects=0 
[root@deep /]# sysctl -w net.ipv4.conf.ethl.accept_redirects=0 
[root@deep /]# sysctl -w net.ipv4.conf.default.accept_redirects=0 
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Enable bad error message Protection 
This option will alert you about all bad error messages in your network. 


Step 1 
e §=6Edit the sysct1l.conf file (vi /etc/sysct1.conf) and add the following line: 








# Enable bad error message Protection 
net.ipv4.icmp_ignore_bogus_error_responses = 1 








Step 2 
Once configuration has been set, you must restart your network for the change to take effect. The 
command to restart the network is the following: 


e To restart all network devices manually on your system, use the following command: 
[root@deep /]# /etc/re.d/init.d/network restart 
Setting network parameters [OK] 


Bringing up interface lo [OK] 
Bringing up interface eth0 [OK] 
Bringing up interface ethl [OK] 








NOTE: There is another way to update the entry without restarting the network by using the 


following command into your terminal screen: 
[root@deep /]# sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 











Enable IP spoofing protection 

The spoofing protection prevents your network from being the source of spoofed (i.e. forged) 
communications that are often used in DoS Attacks. In the configuration below, we enable source 
route verification for all possible interfaces on the system even for the interface eth1, which 
represents your second network card if you have one. If eth1 doesn’t exist on your system, then 
omit the line related to eth1i in your sysct1.conf file. 


Step 1 
e Edit the sysct1l.conf file (vi /etc/sysct1l.conf) and add the following lines: 


# Enable IP spoofing protection, turn on source route verification 
net.ipv4.conf.all.rp_filter = 1 
net.ipv4.conf.lo.rp_filter = 1 
net.ipv4.conf.ethO.rp_filter = 1 
net.ipv4.conf.ethl.rp_filter dh 
net.ipv4.conf.default.rp_filter = 1 





Step 2 
Once the configurations have been made, you must restart your network for the change to take 
effect. The command to restart the network is the following: 


e To restart all network devices manually on your system, use the following command: 
[root@deep /]# /etc/re.d/init.d/network restart 
Setting network parameters [OK] 


Bringing up interface lo [OK] 
Bringing up interface eth0 [OK] 
Bringing up interface ethl [OK] 
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NOTE: This parameter will prevent spoofing attacks against your internal networks but your 
external addresses can still be spoofed. 


There is another way to update the entry without restarting the network by using the following 
command into your terminal screen: 

[root@deep /]# sysctl -w net.ipv4.conf.all.rp_filter=1 

[root@deep /]# sysctl -w net.ipv4.conf.lo.rp_filter=1 

[root@deep /]# sysctl -w net.ipv4.conf.ethO.rp_filter=1 

[root@deep /]# sysctl -w net.ipv4.conf.ethl.rp_filter=1 

[root@deep /]# sysctl -w net.ipv4.conf.default.rp_filter=1 





Enable Log Spoofed, Source Routed and Redirect Packets 

This change will log all Spoofed Packets, Source Routed Packets, and Redirect Packets to your 
log files. In the configuration below, we enable “Log Spoofed, Source Routed and Redirect 
Packets” for all possible interfaces on the system even for the interface eth1, which represents 
your second network card if you have one. If eth1 doesn’t exist on your system, then omit the 
line related to eth1 in your sysct1l.conf file. 


Step 1 
e §6Edit the sysct1.conf file (vi /etc/sysct1.conf) and add the following lines: 








# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets 
net.ipv4.conf.all.log_martians = 1 
net.ipv4.conf.lo.log_martians = 1 
net.ipv4.conf.ethO.log_martians = 
net.ipv4.conf.ethl.log_martians = 
net.ipv4.conf.default.log_martians = 1 


al 
1 


Step 2 
You must restart your network for the change to take effect. The command to restart the network 
is the following: 


e To restart all network devices manually on your system, use the following command: 
[root@deep /]# /etc/re.d/init.d/network restart 
Setting network parameters [ 
Bringing up interface lo [OK] 
Bringing up interface eth0 [OK] 
Bringing up interface ethl [OK] 








NOTE: There is another way to update the entry without restarting the network by using the 
following command into your terminal screen: 

[root@deep /]# sysctl -w net.ipv4.conf.all.log_martians=1 

root@deep /]# sysctl -w net.ipv4.conf.lo.log_martians=1 


[ ] 

[root@deep /]# sysctl -w net.ipv4.conf.eth0O.log_martians=1 
[root@deep /]# sysctl -w net.ipv4.conf.ethl.log_martians=1 
[root@deep /]# sysctl -w net.ipv4.conf.default.log_martians=1 
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Optimizing TCP/IP Networking 

This section deals with actions we can make to improve and tighten performance of the Linux 
TCP/IP networking. Note that we refer to the features available within the base installed Linux 
system. Below | show you only the parameters, which can be used to optimize the TCP/IP 
networking of your system. All the suggestions | make in this section are valid for all kinds of 
servers. The only difference depends of the amount of MB of RAM your machines have and this 
is where some settings will change. The majority of the following hacks will work very fine with 
servers >= 512MB of RAM or at a minimumof 256MB of RAM. Below this amount of memory, 
nothing is guaranteed and the default settings will just be fine for you. 


Better manage your TCP/IP resources 

This hack just make the time default values for TCP/IP connection lower so that more 
connections can be handled by at a time by your TCP/IP protocol. The following will decrease 
the amount of time your Linux machine will try take to finish closing a connection and the amount 
of time before it will kill a stale connection. This will also turn off some IP extensions that aren't 
needed. 


The default setup for the TCP/IP parameters we'll change under Red Hat Linux are: 
For the tcp_fin_timeout "60" 

For the tcp_keepalive_time "7200" 

For the tcp _window_scaling "1" 

For the tcp_sack "1" 

For the tcp_timestamps "1" 


Step 1 
To adjust the new TCP/IP values, type the following commands on your terminal: 


e §=6Edit the sysct1l.conf file(vi /etc/sysctl.conf) and add the following lines: 











Decrease the time default value for tcp_fin_timeout connection 
net.ipv4.tcp_fin_timeout = 30 

Decrease the time default value for tcp_keepalive_time connection 
net.ipv4.tcp_keepalive_time = 1800 





Turn off the tcp_window_scaling support 
net.ipv4.tcp_window_scaling = 0 


Turn off the tcp_sack support 
net.ipv4.tcp_sack = 0 




















Turn off the tcp_timestamps support 
net.ipv4.tcp_timestamps = 0 








Step 2 
Once the parameters have been changed, you must restart your network for the changes to take 
effect. The command to restart the network is the following: 


e To restart all network devices manually on your system, use the following command: 
[root@deep /]# /etc/re.d/init.d/network restart 
Setting network parameters [OK] 


Bringing up interface lo [OK] 
Bringing up interface eth0 [OK] 
Bringing up interface ethl [OK] 
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NOTE: There is another way to update the entry without restarting the network by using the 
following command into your terminal screen: 

[root@deep /]# sysctl -w net.ipv4.tcp_fin_timeout=30 

root@deep /]# sysctl -w net.ipv4.tcp_keepalive_time=1800 





[ ] 

[root@deep /]# sysctl -w net.ipv4.tcp_window_scaling=0 
[root@deep /]# sysctl -w net.ipv4.tcp_sack=0 
[root@deep /]# sysctl -w net.ipv4.tcp_timestamps=0 





Better manage your buffer-space resources 

The three parameters below are related to ‘total’, ‘read’, and ‘write’ TCP buffer-space that the 
kernel will allocate on your TCP/IP protocol. We generally tune these files to improve the 
maximum TCP buffer-space on the system by increasing the default values to something 
reasonable like 1 time for every 64M of RAM we have: i.e. for a machine with 256 MB of RAM, 
set it to 28672 and 16384 for tcp_mem and tcp_wmem parameters (256/64=4 4*7168=28672 
and 256/64=4 4*4096=16384) and three time the values of tcp_wmem for tcp_rmem 
(3*16384=49152). 


The default setup for the buf fer-space resources we'll change under Red Hat Linux are: 
For the tcp_mem "7168 7680 8192" 

For the tcp_wmem "4096 16384 131072" 

For the tcp_rmem "4096 87380 174760" 


Step 1 
To adjust the new buffer-space values, type the following commands on your terminal: 


e §6Edit the sysctl.conf file (vi /etc/sysctl.conf) and add the following line: 


# Increase the maximum total TCP buffer-space allocatable 
net.ipv4.tcp_mem = 28672 28672 32768 





# Increase the maximum TCP write-buffer-space allocatable 
net.ipv4.tcp_wmem = 16384 65536 524288 








# Increase the maximum TCP read-buffer space allocatable 
net.ipv4.tcp_rmem = 49152 196608 1572864 








NOTE: For super computers with a lot of RAM (> 2GB), we can set the new values to: 
net.ipv4.tcp_mem = 100000000 100000000 100000000 
net.ipv4.tcp_wmem = 100000000 100000000 100000000 
net.ipv4.tcp_rmem = 30000000 30000000 30000000 





Step 2 
You must restart your network for the change to take effect. The command to restart the network 
is the following: 


e To restart all network devices manually on your system, use the following command: 
[root@deep /]# /etc/re.d/init.d/network restart 
Setting network parameters [OK] 


Bringing up interface lo [OK] 
Bringing up interface eth0 [OK] 
Bringing up interface ethl [OK] 


184 








TCP/IP Network Management|0 
CHAPTER |7 








NOTE: There is another way to update the entry without restarting the network by using the 
following command into your terminal screen: 

[root@deep /]# sysctl -w net.ipv4.tcp_mem="28672 28672 32768” 

[root@deep /]# sysctl -w net.ipv4.tcp_wmem="16384 65536 524288” 

[root@deep /]# sysctl -w net.ipv4.tcp_rmem="49152 196608 1572864” 





Better manage your buffer-size resources 

The four parameters below are related to the maximum and default setting of the socket receives 
and send buffer/buffer-size in bytes. We generally tune these files to improve the maximum and 
default socket buffer-size of the network core option by increasing the default values to 
something reasonable like 65535 for every 64M of RAM we have: i.e. for a machine with 256 MB 
of RAM, the new values will be 262140 (256/64=4 4*65535=262140). 


The default setup for the buf fer-—size resources we'll change under Red Hat Linux are: 
For the rmem_max "65535" 

For the rmem_default "65535" 

For the wmem_max "65535" 

For the wmem_default "65535" 


Step 1 
To adjust the new buffer-size values, type the following commands on your terminal: 


e §6Edit the sysctl.conf file (vi /etc/sysct1l.conf) and add the following line: 





# Increase the maximum and default receive socket buffer siz 
t.core.rmem_max = 262140 
t.core.rmem_default = 262140 


+] 





13) 





# Increase the maximum and default send socket buffer siz 
net.core.wmem_max = 262140 
t.core.wmem_default = 262140 











5 








NOTE: For super computers with a lot of RAM (> 2GB), we can set the new values to: 
net.core.rmem_max = 10485760 
net.core.rmem_default = 10485760 
net.core.wmem_max = 10485760 
net.core.wmem_default = 10485760 

















Step 2 
You must restart your network for the change to take effect. The command to restart the network 
is the following: 


e To restart all network devices manually on your system, use the following command: 
[root@deep /]# /etc/re.d/init.d/network restart 
Setting network parameters [OK] 


Bringing up interface lo [OK] 
Bringing up interface eth0 [OK] 
Bringing up interface ethl [OK] 
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NOTE: There is another way to update the entry without restarting the network by using the 
following command into your terminal screen: 

[root@deep /]# sysctl -w net.core.rmem_max=262140 

[root@deep /]# sysctl -w net.core.rmem_default=262140 

[root@deep /]# sysctl -w net.core.wmem_max=262140 

[root@deep /]# sysctl -w net.core.wmem_default=262140 

















The tcp_max_tw_buckets parameters 

The tcp_max_tw_buckets /proc/sys/net/ipv4/tcp_max_tw_buckets set the TCP time- 
wait buckets pool size for the system. For high-usage systems you may change its default 
parameter to something reasonable like 180000 for every 64M of RAM we have: i.e. fora 
machine with 256 MB of RAM, the new values will be 720000 (256/64=4 4*180000=720000) or 
for super computers with a lot of RAM (> 2GB) you can set this value to 2000000. 


The default setup for the tcp_max_tw_buckets parameter under Red Hat Linux is: 
"180000" 


Step 1 
To change the values of tep_max_tw_buckets, type the following command on your terminal: 


e =6Edit the sysctl.conf file (vi /etc/sysctl.conf) and add the following line: 





# Increase the tcp-time-wait buckets pool size 
net.ipv4.tcp_max_tw_buckets = 720000 


Step 2 
You must restart your network for the change to take effect. The command to restart the network 
is the following: 


e To restart all network devices manually on your system, use the following command: 
[root@deep /]# /etc/re.d/init.d/network restart 


Setting network parameters [OK] 
Bringing up interface lo [OK] 
Bringing up interface eth0 [OK] 
Bringing up interface ethl [OK] 








NOTE: There is another way to update the entry without restarting the network by using the 
following command into your terminal screen: 
[root@deep /]# sysctl -w net.ipv4.tcp_max_tw_buckets=720000 
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The ip_local_port_range parameters 

The ip_local_port_range /proc/sys/net/ipv4/ip_local_port_range defines the 
local port range that is used by TcP and UDP traffic to choose the local port. You will see in the 
parameters of this file two numbers: The first number is the first local port allowed for TCP and 
UDP traffic on the server, the second is the last local port number. 








For high-usage systems you may change its default parameters to 16384-65536 (first-last) 
but only for high-usage systems or you will surely receive error message like: “resources 
temporally unavailable”. 


The default setup for the ip_local_port_range parameter under Red Hat Linux is: 
"32768 61000" 





Step 1 
To change the values of ip_local_port_range, type the following command on your terminal: 





e Edit the sysctl.conf file (vi /etc/sysct1l.conf) and add the following line: 


# Allowed local port range 
net.ipv4.ip_local_port_range = 16384 65536 


Step 2 
You must restart your network for the change to take effect. The command to restart the network 
is the following: 


e To restart all network devices manually on your system, use the following command: 
[root@deep /]# /etce/re.d/init.d/network restart 


Setting network parameters [OK] 
Bringing up interface lo [OK] 
Bringing up interface eth0 [OK] 
Bringing up interface ethl [OK] 








NOTE: There is another way to update the entry without restarting the network by using the 
following command into your terminal screen: 
[root@deep /]# sysctl -w net.ipv4.ip_local_port_range="16384 65536” 





The ipfrag_high_thresh and ipfrag_low_thresh parameters 

The two parameters below relate to the maximum memory used to reassemble IP fragments. 
When ipfrag_high_thresh bytes of memory are allocated for this purpose, the fragment 
handler will toss packets until ipfrag_low_thresh is reached. 


The default setup for the ipfrag_high_thresh and ipfrag_low_thresh parameters under 
Red Hat Linux are: 

For the ipfrag_high thresh "262144" 

For the ipfrag_low_thresh "196608" 
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Step 1 
To change the values of ipfrag_thresh, type the following command on your terminal: 


e Edit the sysctl.conf file (vi /etc/sysct1l.conf) and add the following line: 





# Increase the maximum memory used to reassemble IP fragments 
net.ipv4.ipfrag_high_thresh = 512000 
net.ipv4.ipfrag_low_thresh = 446464 


Step 2 
You must restart your network for the change to take effect. The command to restart the network 
is the following: 


e To restart all network devices manually on your system, use the following command: 
[root@deep /]# /etc/re.d/init.d/network restart 
Setting network parameters [OK] 


Bringing up interface lo [OK] 
Bringing up interface eth0 [OK] 
Bringing up interface ethl [OK] 








NOTE: There is another way to update the entry without restarting the network by using the 
following command into your terminal screen: 

[root@deep /]# sysctl -w net.ipv4.ipfrag_high_thresh=512000 

[root@deep /]# sysctl -w net.ipv4.ipfrag_low_thresh=446464 





The optmem_max and hot_list_length parameters 

Finally the last two parameters we will show here are related to the maximum ancillary buffer size 
allowed per socket (Ancillary data is a sequence of struct cmsghdr structures with appended 
data) and the maximum number of skb-heads that can be cached by the TcP/IP networking 
feature of Linux. 


For high-usage systems you may change its default parameter to something reasonable like 7168 
for every 64M of RAM we have: i.e. for a machine with 256 MB of RAM, the new values will be 
28672 for optmem_max parameter (256/64=4 4*7168=28672) or for super computers with a lot of 
RAM (> 2GB) you can set this value to 10000000 for optmem_max and 102400 for 
hot_list_length parameters. 


The default setup for the optmem_max and hot_list_length parameters are: 
For the optmem_max "10240" 
For the hot_list_length "128" 


Step 1 


To change the values of optmem_max and hot_list_length, type the following command on 
your terminal: 


e §6Edit the sysctl.conf file (vi /etc/sysctl.conf) and add the following line: 


# Increase the maximum amount of option memory buffers 
net.core.optmem_max = 28672 





# Increase the maximum number of skb-heads to be cached 
net.core.hot_list_length = 512 
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Step 2 
You must restart your network for the change to take effect. The command to restart the network 
is the following: 


e To restart all network devices manually on your system, use the following command: 
[root@deep /]# /etc/re.d/init.d/network restart 
Setting network parameters [OK] 


Bringing up interface lo [OK] 
Bringing up interface eth0 [OK] 
Bringing up interface ethl [OK] 








NOTE: There is another way to update the entry without restarting the network by using the 
following command into your terminal screen: 

[root@deep /]# sysctl -w net.core.optmem_max=28672 

[root@deep /]# sysctl -w net.core.hot_list_length=512 








Testing TCP/IP Networking 
Once we have applied TCP/IP security and optimization parameters to our server and checked 


or configured all files related to network functionality, we can run some tests to verify that 
everything works as expected. 


Step 1 

Before running these tests, it is important to verify that the iputils package is installed in your 
system. If you have carefully followed every step during our installation of Linux on your 
computer, then this package is not installed. 


> To verify if iputils package is installed on your system, use the following command: 
[root@deep /]# rpm -q iputils 
package iputils is not installed 


Step 2 
If the iputils package seems to not be installed, you need to mount your CD-ROM drive 
containing the Red Hat CD-ROM Part 1 and install it. 


e To mount the CD-ROM drive, use the following command: 
[root@deep /]# mount /dev/cdrom /mnt/cdrom/ 
had: ATAPI 32X CD-ROM drive, 128kB Cache 
mount: block device dev/cdrom is write-protected, mounting read-only 


Step 3 


e To install the iputils package on your Linux system, use the following command: 
[root@deep /]# cd /mnt/cdrom/RedHat /RPMS/ 
[root@deep RPMS]# rpm —-Uvh iputils-version.i386.rpm 
iputils HGH HE EEE EH EEE HE HE HE HE EH EE EERE EH RE EE HEH EE HH HE HE 


Step 4 


e To unmount your CD-ROM drive, use the following command: 
[root@deep RPMS]# ed /; umount /mnt/cdrom/ 
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Once the iputils package is installed on your system, it is time to run the tests to see if the 
network works as expected. It is important to note that at this stage every test must be successful 
and not have any errors. It is to your responsibility to know and understand networking 
architecture and basic TCP/IP protocols before testing any parts of your networking configuration 
and topology. 


Step 1 
To begin, we can use the ifconfig utility to display all the network interfaces on the server. 


e To display all the interfaces you have on your server, use the command: 
[root@deep /]# ifconfig 


The output should look something like this: 


ethO Link encap:Ethernet HWaddr 00:E0:18:90:1B:56 
inet addr:208.164.186.2 Bcast:208.164.186.255 Mask:255.255.255.0 
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 
RX packets:1295 errors:0 dropped:0 overruns:0 frame:0 
TX packets:1163 errors:0 dropped:0 overruns:0 carrier:0 
collisions:0 txqueuelen:100 
Interrupt:11 Base address:0xa800 








lo Link encap:Local Loopback 
inet addr:127.0.0.1 Mask:255.0.0.0 
UP LOOPBACK RUNNING MTU:3924 Metric:1 
RX packets:139 errors:0 dropped:0 overruns:0 frame:0 
TX packets:139 errors:0 dropped:0 overruns:0 carrier:0 
collisions:0 txqueuelen:0 








NOTE: If the ifconfig tool is invoked without any parameters, it displays all interfaces you 
configured. An option of “—a” shows the inactive one as well. 





e To display all interfaces as well as inactive interfaces you may have, use the command: 
[root@deep /]# ifconfig -a 


The output should look something like this: 








ethO Link encap:Ethernet HWaddr 00:E0:18:90:1B:56 
inet addr:208.164.186.2 Bcast:208.164.186.255 Mask:255.255.255.0 
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 
RX packets:1295 errors:0 dropped:0 overruns:0 frame:0 
TX packets:1163 errors:0 dropped:0 overruns:0 carrier:0 
collisions:0 txqueuelen:100 
Interrupt:11 Base address:0xa800 


ethl Link encap:Ethernet HWaddr 00:E0:18:90:1B:56 

inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0 
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 

RX packets:1295 errors:0 dropped:0 overruns:0 frame:0 

TX packets:1163 errors:0 dropped:0 overruns:0 carrier:0 
collisions:0 txqueuelen:100 

Interrupt:5 Base address:0xa320 














lo Link encap:Local Loopback 
inet addr:127.0.0.1 Mask:255.0.0.0 
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UP LOOPBACK RUNNING MTU:3924 Metric:1 

RX packets:139 errors:0 dropped:0 overruns:0 frame:0 
TX packets:139 errors:0 dropped:0 overruns:0 carrier:0 
collisions:0 txqueuelen:0 


Step 2 
If all network interfaces on the server look as you expect, then it is time to verify that you can 
reach your hosts. Choose a host from your internal network, for instance 192.168.1.1 


e To verify that you can reach your internal hosts, use the command: 
[root@deep /]# ping 192.168.1.1 


The output should look something like this: 


PING 192.168.1.1 (192.168.1.1) from 192.168.1.1 : 56 data bytes 
64 bytes from 192.168.1.1: icmp_seq=0 tt1l=128 time=1.0 ms 

64 bytes from 192.168.1.1: icmp_seq=1 tt1l=128 time=1.0 ms 
64 bytes from 192.168.1.1: icmp_seq=2 tt1=128 time=1.0 ms 
64 bytes from 192.168.1.1: icmp_seq=3 tt1l=128 time=1.0 ms 


PRR PR 


--- 192.168.1.1 ping statistics --- 
4 packets transmitted, 4 packets received, 0% packet loss 
round-trip min/avg/max = 1.0/1.0/1.0 ms 








WARNING: Do not try to ping a host in which you have applied the previous TCP/IP security 
settings to prevent your system to respond to ping request. Instead try to ping another host 
without this feature enable. Also if you don’t receive an answer from the internal host you try to 
ping, verify if your hubs, routers, network cards, and network topology are correct. 





If you are able to ping your internal host, congratulations! Now we must ping an external 
network, for instance 216.148.218.195 


e To verify that you can reach the external network, use the command: 
[root@deep /]# ping 216.148.218.195 


The output should look something like this: 


PING 216.148.218.195 (216.148.218.195) from 216.148.218.195 :56 data byte 
64 bytes from 216.148.218.195: icmp_seq=0 tt1l=128 time=1.0 ms 

64 bytes from 216.148.218.195: icmp_seq=1 tt1=128 time=1.0 ms 
64 bytes from 216.148.218.195: icmp_seq=2 tt1=128 time=1.0 ms 
64 bytes from 216.148.218.195: icmp_seq=3 tt1=128 time=1.0 ms 


--- 216.148.218.195 ping statistics --- 
4 packets transmitted, 4 packets received, 0% packet loss 
round-trip min/avg/max = 1.0/1.0/1.0 ms 


Step 3 
You should now display the routing information with the command route to see if the hosts have 
the correct routing entries. 


e To display the routing information, use the command: 
[root@deep /]# route -n 
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The output should look something like this: 
Kernel IP routing table 
Destination Gateway Genmask Flags Metric Ref Use Iface 
208.164.186.20.0.0.0 2954295.)259%255UH 0 0 0 etho 
208.164.186.0208.164.186.2255.255.255.0 UG 0 0 0 etho 
208.164.186.00.0.0.0 259:3259%255:50: © 0 0 0 etho 
127.0.0.0 0.0.0.0 2:59. 026:0-.-0 U 0 0 0 lo 
Step 4 


Another useful option is “netstat -vat”, which shows all active and listen TCP connections. 


e To shows all active and listen TCP connections, use the command: 
[root@deep /]# netstat -vat 


The output may look something similar to this example depending if the related services are 
running. Be aware that your results will almost certainly vary from the ones shown below: 





Active Internet connections (servers and established) 































































































































































































Proto Recv-Q Send-Q Local Address Foreign Address State 

tcp 0 0 deep.openna.co:domain Ase LISTEN 

tcp 0 0 localhost:domain erates LISTEN 

tcp 0 0 deep.openna.com:ssh gate.openna.com:1682ESTABLISHED 
tcp 0 0 *:webcache wee LISTEN 

tcp 0 0 deep.openar:netbios-ssn *:* LISTEN 

Ecp 0 0 localhost:netbios-ssn ee LISTEN 

tcp 0 0 localhost:1032 localhost:1033 ESTABLISHED 
tcp 0 0 localhost:1033 localhost:1032 ESTABLISHED 
Ecp 0 0 localhost:1030 localhost:1031 ESTABLISHED 
tcp 0 0 localhost:1031 localhost:1030 ESTABLISHED 
tcp 0 0 localhost:1028 localhost:1029 ESTABLISHED 
tcp 0 0 localhost:1029 localhost:1028 ESTABLISHED 
tcp 0 0 localhost:1026 localhost:1027 ESTABLISHED 
tcp 0 0 localhost:1027 localhost:1026 ESTABLISHED 
tcp 0 0 localhost:1024 localhost:1025 ESTABLISHED 
tcp 0 0 localhost:1025 localhost:1024 ESTABLISHED 
tcp 0 0 deep.openna.com: www gk LISTEN 

tcp 0 O deep.openna.com:https ore ISTEN 

tcp 0 OFS 389. Bags LISTEN 

tcp 0 O *:ssh scree! LISTEN 

Step 5 


Sometimes machines on your network will discard your IP packets and finding the offending 
Gateway responsilbe can be difficult. Fortunately the tracepath utility attempts to trace the 


route an IP packet would follow to some Internet host. Choose an Internet host, for instance 
64.81.28.146 


e To print the route packets take to network host, use the command: 
[root@deep /]# tracepath 64.81.28.146 


The output should look something like this: 


1?: [LOCALHOST] pmtu 1500 
LPs BOP. 35:0 78% 1 

222 V0. 706121 

3?: 206.47.228.178 

4?: 206.108.97.149 
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5?: 206.108.103.214 

6?: 206.108.103.228 

72: 208.51.134.9 

827: 208.48.234.189 

9?: 206.132.41.78 asymm 10 

10?: 204.246.213.226 asymm 13 

11?: 206.253.192.217 asymm 13 

12?: 206.253.195.218 asymm 14 

13: 64.81.28.146 asymm 15 139ms reached 
Resume: pmtu 1500 hops 13 back 15 


Step 6 
Finally, we will use the hostname command of Linux to show if our systems host name is 
correct. 


e To display and print the current host name of your server, use the command: 
[root@deep /]# hostname 
deep 


The hostname command without any options will print the current host name of our system, in 
this example “deep”. 


Now, it’s important to verify if the Fully Qualified Domain Name (F QD) of our server is reported 
correctly. 


e To display and print the FQDN of your server, use the command: 
[root@deep /]# hostname -f 
deep.openna.com 


The last checkup 
If you can answer, “Yes” to each of the questions below, then your network is working and you 
can continue . 
v¥ Parameters inside ifcfg—ethn files are corrects 
¥ The /etc/resolv.conf file contain your primary and secondary Domain Name Server 
v¥ All parameters included in the /etc/host.conf file are corrects 
v_ All parameters included in the /etc/sysconfig/network file are corrects 
v The /etc/hosts file contain the mapping of your hostnames to IP addresses 
v All network interfaces on the server have the right parameter 
v You can reach the internal and external hosts 
¥ Your hosts have the correct routing entry 
v The status of the interfaces has been checked and looks fine 


v¥ You are able to print the route packets take to network host 
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In this Chapter 


What is a Network Firewall Security Policy? 

The Demilitarized Zone 

What is Packet Filtering? 

The topology 

Building a kernel with IPTABLES Firewall support 

Rules used in the firewall script files 
/etc/re.d/init.d/iptables: The Web Server File 
/ete/re.d/init.d/iptables: The Mail Server File 
/ete/re.d/init.d/iptables: The Primary DNS File 
/etc/re.d/init.d/iptables: The Secondary DNS File 
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Linux IPTABLES Packet Filter 


Abstract 

The new Linux kernel, like the two previous kernels, supports a new mechanism for building 
firewalls, network packet filtering (netfilter). The new mechanism, which is controlled by a tool 
named iptables, is more sophisticated than the previous ones (ipchains) and more secure. 
This easy to configure new mechanism is also the first stateful firewall on a Linux operating 
system. Stateful firewalling represents a major technological jump in the intelligence of a firewall 
and allows, for example, to block/detect many stealth scans that were undetected on previous 
generations of Linux firewalls, it also blocks most of the DoS attacks by rating limiting user- 
defined packet types, since it keeps in memory each connection passing through it. 


This new technology implies that if foreign packet tries to enter the network by claiming to be part 
of an existing connection, IPTABLES can consult its list of connections which it keeps in memory 
and if it finds that the packet doesn't match any of these, it will drop that packet which will defeat 
the scan in many cases! | will say that 50% of security on a network depends on a good firewall, 
and everyone should now run IPTABLES on a Linux server to reach this level of security. 








Can someone tell me why | might want something like a commercial firewall product rather than 
simply using the new iptables tool of Linux and restricting certain packets? What am | losing 
by using iptables? Now, there is undoubtedly room for a lot of debate on this, iptables is as 
good, and most of the time better, than commercial firewall packages from a functionality and 
support standpoint. You will probably have more insight into what's going on in your network 
using iptables than a commercial solution. 


That being said, a lot of corporate types want to tell their shareholders, CEO/CTO/etc. that they 
have the backing of reputable security Software Company. The firewall could be doing nothing 
more than passing through all traffic, and still the corporate type would be more comfortable than 
having to rely on the geeky guy in the corner cube who gets grumpy if you turn the light on before 
noon. 


In the end, a lot of companies want to be able to turn around and demand some sort of restitution 
from a vendor if the network is breached, whether or not they'd actually get anything or even try. 
All they can typically do with an open source solution is fire the guy that implemented it. At least 
some of the commercial firewalls are based on Linux or something similar. It’s quite probable that 
iptables is secure enough for you but not those engaging in serious amounts of high stakes 
bond trading. 


Doing a cost/benefit analysis and asking a lot of pertinent questions is recommended before 
spending serious money on a commercial firewall---otherwise you may end up with something 
inferior to your iptables tool. Quite a few of the NT firewalls are likely to be no better than 
iptables and the general consensus on bugtraq and NT bugtraq are that NT is “far too 
insecure* to run a serious firewall. 
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Prerequisites 

Linux IPTABLES requires that the listed software below be already installed on your system to be 
able to run and work successfully. If this is not the case, you must install it from your Linux CD- 
ROM or source archive files. Please make sure you have all of these programs installed on your 
machine before you proceed with this chapter. 





¥Y Kernel 2.4 is required to set up firewalls as well as TP masquerading in your system. 





¥Y iptables package, is the new secure and more powerful program used by Linux to set 
up firewalls as well as IP masquerading in your system. 


> To verify if iptables package is installed on your system, use the command: 
[root@deep /]# rpm -q iptables 
package iptables is not installed 


e To mount your CD-ROM drive before installing the require package, use the command: 
[root@deep /]# mount /dev/cdrom /mnt/cdrom/ 
had: ATAPI 32X CD-ROM drive, 128kB Cache 
mount: block device dev/cdrom is write-protected, mounting read-only 


e To install the iptables package on your Linux system, use the following command: 
[root@deep /]# ed /mnt/cdrom/RedHat /RPMS/ 
[root@deep RPMS]# rpm -Uvh iptables-version.i386.rpm 
iptables FREE E EHH EE EEE HE HE HE EE HEE EE HERE HEH RE EE HEE HE HE HE 


e To unmount your CD-ROM drive, use the following command: 
[root@deep RPMS]# ed /; umount /mnt/cdrom/ 


What is a Network Firewall Security Policy? 

Network firewall security policy defines those services that will be explicitly allowed or denied, 
how these services will be used and the exceptions to these rules. An organization's overall 
security policy must be determined according to security and business-need analysis. Since a 
firewall relates to network security alone, a firewall has little value unless the overall security 
policy is properly defined. Every rule in the network firewall security policy should be implemented 
on a firewall. Generally, a firewall uses one of the following methods. 


Everything not specifically permitted is denied 

This approach blocks all traffic between two networks except for those services and applications 
that are permitted. Therefore, each desired service and application should be implemented one 
by one. No service or application that might be a potential hole on the firewall should be 
permitted. This is the most secure method, denying services and applications unless explicitly 
allowed by the administrator. On the other hand, from the point of users, it might be more 
restrictive and less convenient. This is the method we will use in our Firewall configuration files in 
this book. 


Everything not specifically denied is permitted 

This approach allows all traffic between two networks except for those services and applications 
that are denied. Therefore, each untrusted or potentially harmful service or application should be 
denied individually. Although this is a flexible and convenient method for the users, it could 
potentially cause some serious security problems. 
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The Demilitarized Zone 

A demilitarized zone (DMZ) refers to a part of the network that is neither part of the internal 
network nor directly part of the Internet. Typically, this is the area between your Internet access 
router and your bastion host (internal network), though it can be between any two policy-enforcing 
components of your architecture. A DMZ minimizes the exposure of hosts on your external LAN 
by allowing only recognized and managed services on those hosts to be accessible by hosts on 
the Internet. This kind of firewall architecture will be the one we will use along this book for all 
networking services and firewall implementation we want to install on different servers. A 
demilitarized zone (DMZ) is the most used method in firewall security and most of us use this 
technique. 
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The boxes between Hub A and B are in the 'DMZ'. Hub A only routes traffic between the Internet 
and the DMZ. Hub B only routes traffic between the DMZ and the Intranet. The theory is that all 
traffic between the Intranet and the Internet has to pass through a machine in the DMZ. The 
machine in the DMZ can be used to authenticate, record, and control all traffic. 
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What is Packet Filtering? 

Packet Filtering (netfilter) is the type of firewall built into the Linux kernel (as a kernel module, or 
built right in). A filtering firewall works at the network level. Data is only allowed to leave the 
system if the firewall rules allow it. As packets arrive they are filtered by their type, source 
address, destination address, and port information contained in each packet. 


Most of the time, packet filtering is accomplished by using a router that can forward packets 
according to filtering rules. When a packet arrives at the packet-filtering router, the router extracts 
certain information from the packet header and makes decisions according to the filter rules as to 
whether the packet will pass through or be discarded. 


The following information can be extracted from the packet header: 


Source IP address 

Destination IP address 

TCP/UDP source port 

TCP/UDP destination port 

ICMP message type 

Encapsulated protocol information (TCP, UDP, ICMP or IP tunnel) 


LN NNA A 


Because very little data is analyzed and logged, filtering firewalls take less CPU power and create 
less latency in your network. There are lots of ways to structure your network to protect your 
systems using a firewall. 


The topology 

All servers should be configured to block at least the unused ports, even if they are not a 
firewall server. This is required for increased security. Imagine that someone gains access to 
your firewall gateway server: if your servers are not configured to block unused ports, this is a 
serious network security risk. The same is true for local connections; unauthorized employees 
can gain access from the inside to your other servers. 


In our configuration we will give you five different examples that can help you to configure your 
firewall rules depending on the type of the server you want to protect and the placement of these 
servers on your network architecture. It is important to note that the below examples are only a 
starting point since everyones needs are different, and it is impossible to cover all firewall 
technique in one chapter, so | recommend you read some good articles or books about firewalls if 
you need more help to go in deeper with your firewall implementation. 


The first example firewall rules file will be for a Web Server, the second for a Mail Server, the third 
for a Primary Domain Name Server, the fourth for a Secondary Domain Name Server and the last 
for a Gateway Server that acts as proxy for the inside Workstations and Servers machines. As 
you can imagine, many possibilities exist for the configuration of your firewall, depending on the 
tasks you want to assign to the servers in your network. The five examples we show you are the 
most comon and contain different rules that you can apply or change to fit your own needs. See 
the diagram below to get an idea. 
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Building a kernel with IP TABLES Firewall support 


The first thing you need to do is ensure that your kernel has been built with the netfilter 
infrastructure compiled in it: netfilter is a general framework inside the Linux kernel, which other 
things (such as the iptables module) can plug into. This means you need kernel 2.4.0 or 


ol Teel 


greater, and answer “y” or “m” to the following questions depending of the kernel type you have 
configured: 


* Networking options 


Packet socket (CONFIG_PACKET) [Y/m/n/?] 

Packet socket: mmapped IO (CONFIG_PACKET_MMAP) [N/y/?] y 

Kernel/User netlink socket (CONFIG_NETLINK) [N/y/?] y 

Routing messages (CONFIG_RTNETLINK) [N/y/?] (NEW) y 

Netlink device emulation (CONFIG_NETLINK_DEV) [N/y/m/?] (NEW) y 

Network packet filtering (replaces ipchains) (CONFIG_NETFILTER) [N/y/?] y 
Network packet filtering debugging (CONFIG_NETFILTER_DEBUG) [N/y/?] (NEW) y 
Socket Filtering (CONFIG_FILTER) [N/y/?] 

Unix domain sockets (CONFIG_UNIX) [Y/m/n/?] 

TCP/IP networking (CONFIG_INET) [Y/n/?] 

IP: multicasting (CONFIG_IP_MULTICAST) [Y/n/?] n 

IP: advanced router (CONFIG_IP_ADVANCED_ROUTER) [N/y/?] 

IP: kernel level autoconfiguration (CONFIG_IP_PNP) [N/y/?] 

IP: tunneling (CONFIG_NET_IPIP) [N/y/?] 

IP: GRE tunnels over IP (CONFIG_NET_IPGRE) [N/y/?] 

IP: TCP Explicit Congestion Notification support (CONFIG_INET_ECN) [N/y/?] 

IP: TCP syncookie support (disabled per default) (CONFIG_SYN_COOKIES) [N/y/?] y 


* 


* IP: Netfilter Configuration 

Connection tracking (required for masq/NAT) (CONFIG_IP_NF_CONNTRACK) [N/y/?] (NEW) 
IP tables support (required for filtering/masq/NAT) (CONFIG_IP_NF_IPTABLES) [N/y/?] (NEW) y 
limit match support (CONFIG_IP_NF_MATCH_LIMIT) [N/y/m/?] (NEW) y 

MAC address match support (CONFIG_IP_NF_MATCH_MAC) [N/y/m/?] (NEW) y 

netfilter MARK match support (CONFIG_IP_NF_MATCH_MARk) [N/y/m/?] (NEW) y 

Multiple port match support (CONFIG_IP_NF_MATCH_MULTIPORT) [N/y/m/?] (NEW) y 
TOS match support (CONFIG_IP_NF_MATCH_TOS) [N/y/m/?] (NEW) y 

Packet filtering (CONFIG_IP_NF_FILTER) [N/y/m/?] (NEW) y 

REJECT target support (CONFIG_IP_NF_TARGET_REJECT) [N/y/m/?] (NEW) y 

Packet mangling (CONFIG_IP_NF_MANGLE) [N/y/m/?] (NEW) y 

TOS target support (CONFIG_IP_NF_TARGET_TOS) [N/y/m/?] (NEW) y 

MARK target support (CONFIG_IP_NF_TARGET_MARKk) [N/y/m/?] (NEW) y 

LOG target support (CONFIG_IP_NF_TARGET_LOG) [N/y/m/?] (NEW) y 























WARNING: If you have followed the Linux Kernel chapter and have recompiled your kernel, all the 
required options for firewall support, as shown above, are already set. Remember, all servers 
should be configured to block unused ports, even if they are not a firewall server. 





Rules used in the firewall script files 

The following is an explanation of a few of the rules that will be used in the Firewalling examples 
below. This is shown just as a reference, the firewall scripts are well commented and very easy to 
modify. 
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Constants used in the firewall scripts files examples 
Constants are used for most values. The most basic constants are: 











EXTERNAL INTERFACE 
This is the name of the external network interface to the Internet. It's defined as etho in the 
examples. 

















LOCAL_INTERFACE_1 
This is the name of the internal network interface to the LAN, if any. It's defined as eth1 in the 
examples. 














LOOPBACK_INTERFACE 
This is the name of the loopback interface. It's defined as 1o in the examples. 











IPADDR 
This is the IP address of your external interface. It's either a static IP address registered with 
InterNIC, or else a dynamically assigned address from your ISP (usually via DHCP). For static IP 
addresses, a script line will automatically find the required IP address on your interface and report 
it to the firewall program. 


INTRANET 

This is your LAN network address, if any - the entire range of IP addresses used by the machines 
on your LAN. These may be statically assigned, or you might run a local DHCP server to assign 
them. In these examples, the range is 192.168.1.0/24, part of the Class C private address 
range. 








PRIMARY_NAMESERVER 
This is the IP address of your Primary DNS Server from your network or your ISP. 

















SECONDARY_NAMESERVER 
This is the IP address of your Secondary DNS Server from your network or your ISP. 




















NOTE: People with dynamically assigned IPs from an ISP may include the following lines in their 
declarations for the firewall. The lines will determine the pppo IP address, external interface 
device, and the network of the remote ppp server. 























EXTERNAL_INTERFACE="ppp0" 
IPADDR=\/sbin/ifconfig | grep -A 4 pppO | awk '/inet/ { print $2 } ' | sed -e 
s/addr://* 


For DHCP client connection | recommend you to install pump and not dhcpd. Pump is small fast 
and easy to use than dhcpd. For DHCP connection the value for the IPADDR parameter will be 
the following line. 


IPADDR=\/sbin/ifconfig | grep -A 4 ethO | awk '/inet/ { print $2 } ' | sed -e 
s/addr://* 
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Enabling Local Traffic 

A firewall has a default policy and a collection of actions to take in response to specific message 
types. This means that if a given packet has not been selected by any other rule, then the default 
policy rule will be applied. Since the default policies for all example firewall rule script files in this 
book are to deny everything, some of these rules must be unset. Local network services do not 
go through the external network interface. They go through a special, private interface called the 
loopback interface. None of your local network programs will work until loopback traffic is allowed. 


# Unlimited traffic on the loopback interface. 








iptables -A INPUT -i $LOOPBACK_INTERFACE -4 ACCEP 
iptables -A OUTPUT -o $LOOPBACK_INTERFACE -4 ACCEP 





























Source Address Filtering 

All IP packet headers contain the source and destination IP addresses and the type of IP protocol 
message (ICMP, UDP or TCP) the packet contains. The only means of identification under the 
Internet Protocol (IP) is the source address in the IP packet header. This is a problem that opens 
the door to source address spoofing, where the sender may replaces its address with either a 
nonexistent address, or the address of some other site. 


# Refuse incoming packets pretending to be from the external address. 
iptables -A INPUT —s SIPADDR —-j DROP 


Also, there are at least seven sets of source addresses you should refuse on your external 
interface in all cases. 


These are incoming packets claiming to be from: 


v Your external IP address 
Class A private IP addresses 
Class B private IP addresses 
Class C private IP addresses 
Class D multicast addresses 
Class E reserved addresses 
The loopback interface 


NAW ASN 


With the exception of your own IP address, blocking outgoing packets containing these source 
addresses protects you from possible configuration errors on your part. 








WARNING: Don’t forget to exclude your own IP address from outgoing packets blocked. By default 
| choose to exclude the Class C private IP addresses on the Gateway Server Firewall script file 
since it’s the most used by the majority of people at this time. If you used another class instead of 
the class C, then you must comment out the lines that refer to your class under the “SPOOFING & 
BAD ADDRESSES’ section of the firewall script file. About SPOOFING & BAD ADDRESSES in the 
firewall rules, usually only the Gateway Server must have the rule: iptables -A INPUT -s 
SCLASS_C -j DROP for Class C commented since internal machine on the Class C use the 
Gateway to have external access. Try to uncomment it and you will see that you could not have 
access to the Internet from your internal network with IP Class C. Other servers like Web, Mail, 
DNS, FTP, etc must have this line uncommented. 
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The rest of the rules 
Other rules used in the firewall scripts files are: 


Y Accessing a Service from the Outside World 
¥ Offering a Service to the Outside World 
v¥ Masquerading the Internal Machines 


The Linux IPTABLES firewall scripts files 

The tool iptables allows you to set up firewalls, IP masquerading, etc. iptables talks to the 
kernel and tells it what packets to filter. Therefore all your firewall setups are stored in the kernel, 
and thus will be lost on reboot. To avoid this, we recommend using the System V init scripts to 
make your rules permanent. 


To do this, create a firewall script file like shown below in your /etc/rc.d/init.d directory for 
each servers you have. Of course, each server may have a different service to offer and would 
therefore needs different firewall setup. For this reason, we provide you with five different firewall 
settings, which you can play with, and examine to fit your needs. Also | assume that you have a 
minimum amount of knowledge on how filtering firewalls and firewall rules work, since it would 
take an entire book to cover and talk about Firewalls. 


/etc/re.d/init.d/iptables: The Web Server File 

This is the configuration script file for our Web Server. This secure configuration allows unlimited 
traffic on the Loopback interface, ICMP, DNS forward-only nameserver (53), SSH Server and 
Client (22), HTTP Server and Client (80), HTTPS Server and Client (443), sMTP Client (25), FTP 
Server (20, 21), and Outgoing Traceroute requests by default. 


If you don’t want some services listed in the firewall rules files for the Web Server that | make ON 
by default, comment them out with a "#" at the beginning of the line. If you want some other 
services that | commented out with a "#", then remove the "#" at the beginning of those lines. The 
text in bold are the parts of the configuration that must be customized and adjusted to satisfy 
your needs. 


Step 1 
Create the iptables script file (touch /etc/rc.d/init.d/iptables) on your Web Server 
and add the following lines: 





!/bin/sh 


Copyright (C) 1999, 2001 OpenNA.com 
Last modified by Gerhard Mourani: 04-01-2001 <http://www.openna.com/> 
This firewall configuration is suitable for HTTP, HTTPS and FTP Server. 








Invoked from /etc/rc.d/init.d/iptables. 

chkconfig: - 60 95 

description: Starts and stops the IPTABLES packet filter \ 
used to provide firewall network services. 





Source function library. 
. /etc/re.d/init.d/functions 








Source networking configuration. 
. /etc/sysconfig/network 
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# Check that networking is up. 





if [ ${NETWORKING} = "no" ] 
then 
exit 0 
£L 
if [ ! -x /sbin/iptables ]; then 
exit 0 
fi 


# S how we were called. 
case "S1" in 
start) 
echo -n "Starting Firewalling: " 
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Some definitions for easy maintenance. 
EDIT THESE TO SUIT YOUR SYSTEM AND ISP. 

















IPADDR= ifconfig ethO | fgrep -i inet | cut -d 
EXTERNAL INTERFACE="eth0" 
LOOPBACK_INTERFACE="1o" 
PRIMARY_NAMESERVER="*** _** /** | *" 
SECONDARY_NAMESERVER="*** .** ** | *" 
#SYSLOG_SERVER="*** | ** ** x" 
SMTP_SERVER="*** ,** | ** /*" 



































LOOPBACK="127.0.0.0/8" 
CLASS_A="10.0.0.0/8" 
CLASS_B="172.16.0.0/12" 
CLASS_C="192.168.0.0/16" 
CLASS_D_MULTICAST="224.0.0.0/4" 
CLASS_E_RESERVED_NET="240.0.0.0/5" 
BROADCAST_SRC="0.0.0.0" 
BROADCAST_DEST="255.255.255.255" 
PRIVPORTS="0:1023" 
UNPRIVPORTS="1024:" 
































He HE He HE EH 








SE 2: || cout a. \ Sf Ae 
Internet connected interfac 
Your local naming convention 
Your Primary Name Server 
Your Secondary Name Server 
Your Syslog Internal Server 
Your Central Mail Hub Server 





Reserved loopback addr range 
Class A private networks 
Class B private networks 
Class C private networks 
Class D multicast addr 

Class E reserved addr 
Broadcast source addr 
Broadcast destination addr 
Privileged port range 
Unprivileged port range 











SSH_LOCAL_PORTS="1022:65535" 
SSH_REMOTE_PORTS="513:65535" 

















RACEROUTE_SRC_PORTS="32769:65535" 
RACEROUTE_DEST_PORTS="33434:33523" 























# 
# 


The SSH client starts at 1023 and works down to 513 for each 
additional simultaneous connection originating from a privileged port. 
Clients can optionally be configured to use only unprivileged ports. 


Port range for local clients 
Port range for remote clients 





traceroute usually uses —-S 32769:65535 -D 33434:33523 





Default policy is DENY 














iptables -F 





Remove any existing user-defined chains. 
iptables -xX 











iptables -P INPUT DROP 


Explicitly accept desired INCOMING & OUTGOING connections 


Remove all existing rules belonging to this filter 


Set the default policy of the filter to deny. 
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iptables -P OUTPUT DROP 
iptables -P FORWARD DROP 









































# 

# LOOPBACK 

# tS oe 
# Unlimited traffic on the loopback interface. 
iptables -A INPUT -i $LOOPBACK_INTERFACE -j ACCEP 
iptables -A OUTPUT -o SLOOPBACK_INTERFACE —j ACCEP 

# 


# Network Ghouls 


Deny access to jerks 





/etc/re.d/rce.firewall.blocked contains a list of 
iptables -A INPUT -i SEXTERNAL_INTERFACE -s address -j DROP 
rules to block from any access. 























Refuse any connection from problem sites 

if [ -f /etc/rce.d/rce.firewall.blocked ]; then 

deny_file="/etc/rce.d/rc.firewall.blocked" 

temp_file="/tmp/temp.ip.addresses" 

cat S$deny_file | sed -n 43/ °° POLE VChO=9. 1 0) 6 S/N Lp CX 

| awk ' S1 ' > Stemp_file 

while read ip_addy 

do 

case Sip_addy in 

*) iptables -A INPUT -i SEXTERNAL_INTERFACE -s Sip_addy -j DROP 

iptables -A INPUT -i SEXTERNAL_INTERFACE -d S$ip_addy -j DROP 
iptables -A OUTPUT -o SEXTERNAL_INTERFACE -s Sip_addy -—j REJEC 
iptables -A OUTPUT -o SEXTERNAL_INTERFACE -d Sip_addy -—j REJEC 




















































































































a 
esac 
done < $temp_fil 
rm -f Stemp_file > /dev/null 2>6&1 
unset temp_file 
unset deny_file 


























fi 
# 
# SPOOFING & BAD ADDRESSES 
# Refuse spoofed packets. 
# Ignore blatantly illegal source addresses. 
# Protect yourself from sending to bad addresses. 


# Refuse incoming packets pretending to be from the external address. 
iptables -A INPUT -s SIPADDR -j DROP 





# Refuse incoming packets claiming to be from a Class A, B or C private 
network 





iptables -A INPUT -s SCLASS_A -—j DROP 
iptables -A INPUT -s SCLASS_B -—j DROP 
iptables -A INPUT -s SCLASS_C -j DROP 





# Refuse broadcast address SOURCE packets 
iptables -A INPUT -s SBROADCAST_DEST -j DROP 
iptables -A INPUT -d $BROADCAST_SRC -j DROP 
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Refuse Class D multicast addresses 

ulticast is illegal as a source address. 
ulticast uses UDP. 
iptables -A INPUT -s SCLASS_D MULTICAST -7j DROP 


Refuse Class E reserved IP addresses 
iptables -A INPUT -s SCLASS_E_RESERVED_NET -j DROP 



































Refuse special addresses defined as reserved by the IANA. 

Note: The remaining reserved addresses are not included 
filtering them causes problems as reserved blocks are 

being allocated more often now. The following are based on 
reservations as listed by IANA as of 2001/01/04. Please regularly 
check at http://www.iana.org/ for the latest status. 












































Note: this list includes the loopback, multicast, & reserved addresses. 
OF - Can't be blocked for DHCP users. 
LDA a ee — LoopBack 
T6922 54.54% —- Link Local Networks 
1:92.02 * — TEST-NET 
224-255 79 - Classes D & E, plus unallocated. 
iptables -A INPUT -s 0.0.0.0/8 -j DROP 
iptables -A INPUT -s 127.0.0.0/8 -—j DROP 
iptables -A INPUT -s 169.254.0.0/16 -—j DROP 
iptables -A INPUT -s 192.0.2.0/24 -j DROP 
iptables -A INPUT -s 224.0.0.0/3 - 4 DROP 








# UDP TRACEROUTE 
# 














# Traceroute usually uses -S 32769:65535 -D 33434:33523 











iptables -A INPUT -i SEXT 








ERNAL_INTERFACE 








-p udp \ 








--source-port STRACEROUTE_SRC_PORTS \ 
ination-port STRACEROUTE_DEST_PORTS -7j DROP 


-d SIPADDR --dest 
































iptables -A OUTPUT -o SEXT 
—s SIPADDR --sour 
-—-destination-por 


ERNAL_INTERFACE -p udp \ 
ce-port $TRACEROUTE_SRC_PORTS \ 
t STRACEROUTE_DEST_PORTS -j ACCEPT 















































# DNS forward-only nameserver 


(53) 





# 








iptables -A INPUT -i SEXT 





ERNAL_INTERFACE -p udp \ 











-s SPRIMARY_NAMES 





ERVER --source-port 53 \ 





-d SIPADDR --dest 


iptables -A OUTPUT -o SEXTI 





ination-port SUNPRIVPORTS -—j ACCEPT 








ERNAL_INTERFACE -p udp \ 





-s SIPADDR --sour 


ce-port SUNPRIVPORTS \ 








-d SPRIMARY_ NAMES 




















iptables -A INPUT -i SEXT 


ERNAL_INTERFACE -p tcp ! --syn \ 








-s $SPRIMARY NAMES 


ERVER --source-port 53 \ 

















-d SIPADDR -—-destination-port SUNPRIVPORTS -—j ACCEPT 























iptables -A OUTPUT -o SEXT 





ERNAL_ INTERFACE 








-p tcp \ 


ERVER —-destination-port 53 -j ACCEPT 
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-s S$IPADDR --source-port SUNPRIVPORTS \ 
-d SPRIMARY_NAMESERVER -—-destination-port 53 -j ACCEPT 
iptables -A INPUT -i SEXTERNAL_INTERFACE -p udp \ 
-s $SECONDARY_NAMESERVER --source-port 53 \ 
-d SIPADDR —-destination-port SUNPRIVPORTS -j ACCEPT 
iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p udp \ 
-s $IPADDR --source-port SUNPRIVPORTS \ 
-d SSECONDARY_NAMESERVER —-destination-port 53 -—j ACCEPT 
iptables -A INPUT -i SEXTERNAL_INTERFACE -p tcp ! --syn \ 
-s $SECONDARY_NAMESERVER --source-port 53 \ 
-d SIPADDR —-destination-port SUNPRIVPORTS -j ACCEPT 
iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p tcp \ 
-s $IPADDR --source-port SUNPRIVPORTS \ 
-d SSECONDARY_NAMESERVER --destination-port 53 -—j ACCEPT 
# 
# HTTP server (80) 
# 
iptables -A INPUT -i SEXTERNAL_INTERFACE -p tcp \ 
—-source-port SUNPRIVPORTS \ 
-d SIPADDR --destination-port 80 -j ACCEPT 
iptables -A OUTPUT -o S$EXTERNAL_INTERFACE -p tcp ! --syn \ 
-s SIPADDR --source-port 80 \ 
-—-destination-port SUNPRIVPORTS -j ACCEPT 
# 
# HTTPS server (443) 
# 
iptables -A INPUT -i SEXTERNAL_INTERFACE -p tcp \ 
—-source-port SUNPRIVPORTS \ 
-d SIPADDR -—-destination-port 443 -— 4 ACCEPT 
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \ 
-s SIPADDR --source-port 443 \ 
—-destination-port SUNPRIVPORTS -j ACCEPT 
# 
# MySQL server (3306) 
# 
iptables -A INPUT -i SEXTERNAL_INTERFACE -p tcp \ 
—-source-port SUNPRIVPORTS \ 
-d SIPADDR -—-destination-port 3306 -—j ACCEPT 
iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p tcp ! --syn \ 
-s SIPADDR --source-port 3306 \ 
--destination-port SUNPRIVPORTS -j ACCEPT 


# 





# SSH server (22) 


# 
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iptables -A INPUT -i SEXTERNAL_INTERFACE -p tcp \ 
--source-port $SSH_REMOTE_PORTS \ 
-d SIPADDR --destination-port 22 -j ACCEPT 
































iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \ 
-s SIPADDR --source-port 22 \ 
—-destination-port SSSH_REMOTE_PORTS -j ACCEPT 























# SSH client (22) 
# 











iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p tcp \ 
-s $IPADDR --source-port $SSH_LOCAL_PORTS \ 
--destination-port 22 -j ACCEPT 


























iptables -A INPUT -i SEXTERNAL_INTERFACE -p tcp ! --syn \ 
—-source-port 22 \ 
-d SIPADDR —-destination-port $SSH_LOCAL_PORTS -j ACCEPT 























# 


# IMAP server (143) 
# 





iptables -A INPUT -i SEXTERNAL_INTERFACE -p tcp \ 
--source-port SUNPRIVPORTS \ 
-d $IPADDR --destination-port 143 -j ACCEPT 


iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p tcp ! --syn \ 
-s SIPADDR --source-port 143 \ 
--destination-port SUNPRIVPORTS -j ACCEPT 


# IMAP client (143) 


iptables -A INPUT -i SEXTERNAL_INTERFACE -p tcp ! --syn \ 
--source-port 143 \ 
-d SIPADDR --destination-port SUNPRIVPORTS -j ACCEPT 


iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p tcp \ 
-s SIPADDR --source-port SUNPRIVPORTS \ 
--destination-port 143 -j ACCEPT 

















# 

# SMTP client (25) 

# 

iptables -A INPUT -i SEXTERNAL_INTERFACE -p tcp ! --syn \ 














--source-port 25 \ 
-d SIPADDR -—-destination-port SUNPRIVPORTS -—j ACCEPT 














iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p tcp \ 
-s $IPADDR --source-port SUNPRIVPORTS \ 
-—-destination-port 25 -—j ACCEPT 

















# 





# FTP server (21) 
# 





# incoming request 
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iptables -A INPUT -i SEXTERNAL_INTERFACE -p tcp \ 


—-source-port SUNPRIVPORTS \ 
-d SIPADDR --destination-port 21 -j ACCEPT 























iptables -A OUTPUT -o S$EXTERNAL_INTERFACE -p tcp ! --syn \ 


-s SIPADDR --source-port 21 \ 
--destination-port SUNPRIVPORTS -j ACCEPT 














# PORT MODE data channel responses 
iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p tcp \ 




















-s SIPADDR --source-port 20 \ 
--destination-port $S$UNPRIVPORTS -j ACCEPT 








iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \ 











—-source-port SUNPRIVPORTS \ 
-d SIPADDR --destination-port 20 -j ACCEPT 











# PASSIVE MODE data channel responses 
iptables -A INPUT -i SEXTERNAL_INTERFACE -p tcp \ 





























—-source-port SUNPRIVPORTS \ 
-d SIPADDR —-destination-port SUNPRIVPORTS -j ACCEPT 














iptables -A OUTPUT -o S$EXTERNAL_INTERFACE -p tcp ! --syn \ 











-s SIPADDR -—-source-port SUNPRIVPORTS \ 
—--destination-port SUNPRIVPORTS -j ACCEPT 




















# 
# SYSLOG client (514) 
# 
# iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p udp \ 
# -s $IPADDR --source-port 514 \ 
# -d S$SYSLOG_SERVER --destination-port SUNPRIVPORTS -j ACCEPT 
# 
# ICMP 
# ae 








For 


For 


For 


Oe WO 


To prevent denial of service attacks based on ICMP bombs, filter 
incoming Redirect (5) and outgoing Destination Unreachable (3). 


Note, however, disabling Destination Unreachable (3) is not 





advisable, as it is used to negotiate packet fragment size. 


bi-directional ping. 
Message Types: Echo_Reply (0), Echo_Request (8) 
To prevent attacks, limit the src addresses to your ISP range. 








outgoing traceroute. 
Message Types: INCOMING Dest_Unreachabl (3), Time_Exceeded (11) 
default UDP base: 33434 to base+tnhops-1 








incoming traceroute. 
Message Types: OUTGOING Dest_Unreachabl (3), Time_Exceeded (11) 
To block this, deny OUTGOING 3 and 11 








echo-reply (pong) 

destination-unreachable, port-unreachable, fragmentation-needed, etc. 
source-quench 

redirect 
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# 8: echo-request (ping) 
# 11: time-exceeded 
# 12: parameter-problem 




















iptables -A INPUT -i SEXTERNAL_INTERFACE -p icmp \ 
icmp-typ cho-reply \ 
-d $IPADDR -j ACCEPT 

















iptables -A INPUT -i SEXTERNAL_INTERFACE -p icmp \ 
icmp-type destination-unreachable \ 
-d $IPADDR -}j ACCEPT 























iptables -A INPUT -i SEXTERNAL_INTERFACE -p icmp \ 
icmp-type source-quench \ 
-d $IPADDR -j ACCEPT 


























iptables -A INPUT -i SEXTERNAL_INTERFACE -p icmp \ 
icmp-type tim xceeded \ 
-d $IPADDR -j ACCEPT 


























iptables -A INPUT -i SEXTERNAL_INTERFACE -p icmp \ 
icmp-type parameter-problem \ 
-d $IPADDR -j ACCEPT 


























c 
Ae) 
c 

| 
e) 
Wy 
pa 


iptables -A O ERNAL_INTERFACE -p icmp \ 


-s SIPADDR icmp-type fragmentation-needed -j ACCEPT 




















iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p icmp \ 
-s SIPADDR icmp-type source-quench -—j ACCEPT 











iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p icmp \ 
-s SIPADDR icmp-typ cho-request -—j ACCEPT 










































































iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p icmp \ 
-s SIPADDR icmp-type parameter-problem -—j ACCEPT 
































Enable logging for selected denied packets 














iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp —-j DROP 














iptables -A INPU -i SEXTERNAL_INTERFACE -p udp \ 
--destination-port SPRIVPORTS -4j DROP 



































iptables -A INPU -i SEXTERNAL_INTERFACE -p udp \ 
--destination-port SUNPRIVPORTS -j DROP 














iptables -A INPU -i SEXTERNAL_INTERFACE -p icmp \ 
icmp-type 5 -—j DROP 


























iptables -A INPU -i SEXTERNAL_INTERFACE -p icmp \ 
--icmp-type 13/255 -j DROP 









































iptables -A OUTPUT -o SEXTERNAL_INTERFACE -j REJECT 





echo -n "Shutting Firewalling: " 
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# Remove all existing rules belonging to this filter 
iptables -F 


# Delete all user-defined chain to this filter 
iptables -X 


# Reset the default policy of the filter to accept. 
iptables -P INPUT ACCEP 
iptables -P OUTPUT ACCEP 
iptables -P FORWARD ACCEP 























a 
status) 
status iptables 
a 
restart | reload) 
$0 stop 
$0 start 


vr 


echo "Usage: iptables {start|stop|status|restart|reload}" 
exit 1 


echo "done" 


Step 2 

Once the script file has been created, it is important to make it executable, change its default 
permissions, create the necessary links and start it. Making this file executable will allow the 
system to run it, changing its default permission to allow only the root user to change this file for 
security reasons, and creation of the symbolic links will let the process control initialization of 
Linux, which is in charge of starting all the normal and authorized processes that need to run at 
boot time on your system, to start the script automatically for you at each boot. 


e To make this script executable and to change its default permissions, use the command: 
root@deep / chmod 700 /etc/re.d/init.d/iptables 
root@deep / chown 0.0 /etc/re.d/init.d/iptables 


e Tocreate the symbolic rc.d links for your firewall, use the following command: 
root@deep / chkconfig --add iptables 
root@deep / chkconfig --level 2345 iptables on 


e To manually stop the firewall on your system, use the following command: 
root@deep / /etc/re.d/init.d/iptables stop 
Shutting Firewalling Services: [OK] 














e To manually start the firewall on your system, use the following command: 
[root@deep /]# /etc/re.d/init.d/iptables start 
Starting Firewalling Services: [OK] 


Now, your firewall rules are configured to use System V init (System V init is in charge of starting 


all the normal processes that need to run at boot time) and it will be automatically started each 
time your server boots. 
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WARNING: Don't try to edit the above script with MS Wordpad or some similar program or strange 
characters will appear in the firewall script file under Linux. Instead use the vi editor of Linux to 
edit the file and everything will work fine for you. You have been warned. 





/etc/re.d/init.d/iptables: The Mail Server File 

This is the configuration script file for our Mail Server. This secure configuration allows unlimited 
traffic on the Loopback interface, ICMP, DNS forward-only nameserver (53), SSH Server (22), 
SMTP Server and Client (25), POP Server and Client (110), IMAPS Server and Client (993), and 
Outgoing Traceroute requests by default. 


If you don’t want some services listed in the firewall rules files for the Mail Server that | make ON 
by default, comment them out with a "#" at the beginning of the line. If you want some other 
services that | commented out with a "#", then remove the "#" at the beginning of their lines. The 
text in bold are the parts of the configuration that must be customized and adjusted to satisfy 
your needs. 


Step 1 
Create the iptables script file (touch /etc/rc.d/init.d/iptables) on your Mail Server 
and add the following lines: 





!/bin/sh 





Copyright (C) 1999, 2001 OpenNA.com 

Last modified by Gerhard Mourani: 04-01-2001 <http://www.openna.com/> 
This firewall configuration is suitable for Central Mail Hub, IMAP/POP 
Server. 





Invoked from /etc/rc.d/init.d/iptables. 

chkconfig: - 60 95 

description: Starts and stops the IPTABLES packet filter \ 
used to provide firewall network services. 





Source function library. 
/etc/re.d/init.d/functions 


Source networking configuration. 
/etc/sysconfig/network 








Check that networking is up. 





if [ S{NETWORKING} = "no" ] 
then 
exit 0 
fi 
if [ ! -x /sbin/iptables ]; then 
exit 0 
fi 





# = S how we were called. 
case "S1" in 
start) 
echo -n "Starting Firewalling: " 
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Some 


definitions for easy maintenance. 





EDIT THESE 











IPADDR= ifconfig ethO | 


TO SUIT YOUR SYSTEM AND ISP. 





fgrep -i inet | cut -d 





EXTERNAL_IN 


ERFACE="eth0" 




















LOOPBACK_IN 





ERFACE="1o" 





PRIMARY_NAMESERVER="*** .** /** | *" 
SECONDARY_NAMESERVER="*** ,** | ** /*" 
#SYSLOG_CLIENT="*** ,** | ** /*" 


LOOPBACK="127.0. 
LASS_A="10.0.0. 
LASS_B="172.16. 








Cl 

Cl 
CLASS_C="192.168.0.0/16" 
Cl 

C 


0.0/8" 
0/8" 
WO 712" 


LASS _D_MULTICAST="224.0.0.0/4" 








AASS_E_RESERVED_NET="240.0.0.0/5" 




















BROADCAST_SRC="0.0.0.0" 
BROADCAST_DEST="255.255.255.255" 
PRIVPORTS="0:1023" 
UNPRIVPORTS="1024:" 


SE ste HE HE HE 
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cut -d \ -f 1° 
Internet connected interfac 
Your local naming convention 
Your Primary Name Server 
Your Secondary Name Server 
Your Syslog Clients IP ranges 





Reserved loopback addr range 
Class A private networks 
Class B private networks 
Class C private networks 
Class D multicast addr 

Class E reserved addr 
Broadcast source addr 
Broadcast destination addr 
Privileged port range 
Unprivileged port range 











SSH_LOCAL_PORTS="1022:65535" 





SSH_REMO 














E_PORTS="513:65535" 




















# 
# 


The SSH client starts at 1023 and works down to 513 for each 
additional simultaneous connection originating from a privileged port. 
Clients can optionally be configured to use only unprivileged ports. 


Port range for local clients 
Port range for remote clients 





traceroute usually uses —-S 32769:65535 -D 33434:33523 
RACEROUTE_SRC_PORTS="32769:65535" 
RACEROUTE_DEST_PORTS="33434:33523" 


























Default policy is DENY 
Explicitly accept desired INCOMING & OUTGOING connections 
Remove all existing rules belonging to this filter 
iptables -F 
Remove any existing user-defined chains. 
iptables -X 
Set the default policy of the filter to deny. 
iptables -P INPUT DROP 
iptables -P OUTPUT DROP 
iptables -P FORWARD DROP 















































# 

# LOOPBACK 

# Ss rs ear 
# Unlimited traffic on the loopback interface. 
iptables -A INPUT -i SLOOPBACK_INTERFACE —-7j ACCEP 
iptables -A OUTPUT -o SLOOPBACK_INTERFACE -7j ACCEP 

# 





# Network Ghouls 
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Deny access to jerks 





/etc/re.d/rc.firewall.blocked contains a list of 
iptables -A INPUT -i SEXTERNAL_INTERFACE -s address -j DROP 
rules to block from any access. 























Refuse any connection from problem sites 

if [ -f /etc/rce.d/rc.firewall.blocked ]; then 

deny_file="/etc/re.d/rc.firewall.blocked" 

temp_file="/tmp/temp.ip.addresses" 

cat Sdeny_file | sed -n WS LOT AP NGIO=9e AN) SS PAL pm 

| awk ' S1 ' > Stemp_file 

while read ip_addy 

do 

case Sip_addy in 

*) iptables -A INPUT -i SEXTERNAL_INTERFACE -s Sip_addy -j DROP 

iptables -A INPUT -i SEXTERNAL_INTERFACE -d S$ip_addy -j DROP 
iptables -A OUTPUT -o SEXTERNAL_INTERFACE -s Sip_addy -—j REJEC 
iptables -A OUTPUT -o SEXTERNAL_INTERFACE -d Sip_addy -—j REJEC 




















































































































a 
esac 
done < $temp_fil 
rm -f Stemp_file > /dev/null 2>6&1 
unset temp_file 
unset deny_file 























fi 
# 
# SPOOFING & BAD ADDRESSES 
# Refuse spoofed packets. 
# Ignore blatantly illegal source addresses. 
# Protect yourself from sending to bad addresses. 


# Refuse incoming packets pretending to be from the external address. 
iptables -A INPUT -s $IPADDR -4j DROP 





# Refuse incoming packets claiming to be from a Class A, B or C private 
network 





iptables -A INPUT -s SCLASS_A -j DROP 
iptables -A INPUT -s SCLASS_B -j DROP 
iptables -A INPUT -s SCLASS_C -j DROP 





# Refuse broadcast address SOURCE packets 
iptables -A INPUT -s SBROADCAST_DEST -j DROP 
iptables -A INPUT -d $BROADCAST_SRC -j DROP 











Refuse Class D multicast addresses 

ulticast is illegal as a source address. 
ulticast uses UDP. 
iptables -A INPUT -s SCLASS_D MULTICAST - j DROP 


Refuse Class E reserved IP addresses 
iptables -A INPUT -s SCLASS_E_RESERVED_NET -j DROP 
































Refuse special addresses defined as reserved by the IANA. 

Note: The remaining reserved addresses are not included 
filtering them causes problems as reserved blocks are 

being allocated more often now. The following are based on 
reservations as listed by IANA as of 2001/01/04. Please regularly 
check at http://www.iana.org/ for the latest status. 


























Note: this list includes the loopback, multicast, & reserved addresses. 
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# O.*.*.* - Can't be blocked for DHCP users. 
PLO hee ee — LoopBack 

# 169.254.*.* — Link Local Networks 

# 192.0.2.* — TEST-NET 

# 224-255.*,.%*.* - Classes D & E, plus unallocated. 
iptables -A INPUT -s 0.0.0.0/8 -4 DROP 

iptables -A INPUT -s 127.0.0.0/8 -—j DROP 

iptables -A INPUT -s 169.254.0.0/16 -—j DROP 

iptables -A INPUT -s 192.0.2.0/24 -j DROP 

iptables -A INPUT -s 224.0.0.0/3 -4 DROP 

# UDP TRACEROUTE 

# 








# tracerou 














te usually uses -S 32769:65535 -D 33434:33523 





























































































































































































































































































































iptables -A INPUT -i SEXTERNAL_INTERFACE -p udp \ 

--source-port STRACEROUTE_SRC_PORTS \ 

-d $IPADDR -—-destination-port S$TRACEROUTE_DEST_PORTS -—j DROP 
iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p udp \ 

-s SIPADDR --source-port $STRACEROUTE_SRC_PORTS \ 

—-destination-port STRACEROUTE_DEST_PORTS -j ACCEPT 
# DNS forward-only nameserver 
# 
iptables -A INPUT -i SEXTERNAL_INTERFACE -p udp \ 

-s SPRIMARY_NAMESERVER --source-port 53 \ 

-d SIPADDR -—-destination-port SUNPRIVPORTS -j ACCEPT 
iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p udp \ 

-s $IPADDR -~-source-port SUNPRIVPORTS \ 

-d SPRIMARY_NAMESERVER --destination-port 53 -j ACCEPT 
iptables -A INPUT -i SEXTERNAL_INTERFACE -p tcp ! --syn \ 

-s SPRIMARY_NAMESERVER --source-port 53 \ 

-d SIPADDR —-destination-port SUNPRIVPORTS -j ACCEPT 
iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p tcp \ 

-s $IPADDR --source-port SUNPRIVPORTS \ 

-d SPRIMARY_NAMESERVER -—-destination-port 53 -j ACCEPT 
iptables -A INPUT -i SEXTERNAL_INTERFACE -p udp \ 

-s $SECONDARY_NAMESERVER --source-port 53 \ 

-d SIPADDR —-destination-port SUNPRIVPORTS -j ACCEPT 
iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p udp \ 

-s $IPADDR --source-port SUNPRIVPORTS \ 

-d SSECONDARY_NAMESERVER --destination-port 53 -—j ACCEPT 
iptables -A INPUT -i SEXTERNAL_INTERFACE -p tcp ! --syn \ 

-s $SECONDARY_NAMESERVER --source-port 53 \ 

-d SIPADDR —-destination-port SUNPRIVPORTS -j ACCEPT 
iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p tcp \ 

-s $IPADDR --source-port SUNPRIVPORTS \ 
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-d SSECONDARY_NAMESERVER --destination-port 53 -j ACCEPT 


# = = = = = = 





# POP server (110) 
# a _ 














iptables -A INPUT -i SEXTERNAL_INTERFACE -p tcp \ 
—-source-port SUNPRIVPORTS \ 
-d SIPADDR --destination-port 110 -4j ACCEPT 


























iptables -A OUTPUT -o S$EXTERNAL_INTERFACE -p tcp ! --syn \ 
-s SIPADDR --source-port 110 \ 
--destination-port SUNPRIVPORTS -j ACCEPT 
































# POP client (110) 
# 
iptables -A INPUT -i SEXTERNAL_INTERFACE -p tcp ! --syn \ 














—-source-port 110 \ 
-d SIPADDR -—-destination-port SUNPRIVPORTS -—j ACCEPT 














iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p tcp \ 
-s $IPADDR --source-port SUNPRIVPORTS \ 
--destination-port 110 -j ACCEPT 




















# 
# IMAP server (143) 
# 





iptables -A INPUT -i SEXTERNAL_INTERFACE -p tcp \ 
--source-port SUNPRIVPORTS \ 
-d $IPADDR --destination-port 143 -j ACCEPT 


iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p tcp ! --syn \ 
-s SIPADDR --source-port 143 \ 
--destination-port SUNPRIVPORTS -j ACCEPT 


# IMAP client 
# 


(143) 





iptables -A INPUT -i SEXTERNAL_INTERFACE -p tcp ! --syn \ 
--source-port 143 \ 
-d SIPADDR --destination-port SUNPRIVPORTS -j ACCEPT 


iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p tcp \ 
-s SIPADDR --source-port SUNPRIVPORTS \ 
--destination-port 143 -j ACCEPT 


# IMAP server over SSL (993) 
# 














iptables -A INPUT -i SEXTERNAL_INTERFACE -p tcp \ 
—-source-port SUNPRIVPORTS \ 
-d SIPADDR -—-destination-port 993 -— 4 ACCEPT 



































iptables -A OUTPUT -o S$EXTERNAL_INTERFACE -p tcp ! --syn \ 
-s SIPADDR --source-port 993 \ 
—-destination-port SUNPRIVPORTS -j ACCEPT 








# IMAP client over SSL (993) 
# 
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iptables -A INPUT -i SEXTERNAL_INTERFACE -p tcp ! --syn \ 
--source-port 993 \ 
-d SIPADDR -—-destination-port SUNPRIVPORTS -—j ACCEPT 
iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p tcp \ 
-s $IPADDR --source-port SUNPRIVPORTS \ 
—-destination-port 993 -j ACCEPT 
# 
# SMTP server (25) 
# 
iptables -A INPUT -i SEXTERNAL_INTERFACE -p tcp \ 
—-source-port SUNPRIVPORTS \ 
-d SIPADDR --destination-port 25 -j ACCEPT 
iptables -A OUTPUT -o S$EXTERNAL_INTERFACE -p tcp ! --syn \ 
-s SIPADDR --source-port 25 \ 
—--destination-port SUNPRIVPORTS -j ACCEPT 
# 
# SMTP client (25) 
# 
iptables -A INPUT -i SEXTERNAL_INTERFACE -p tcp ! --syn \ 
--source-port 25 \ 
-d SIPADDR --destination-port SUNPRIVPORTS -—j ACCEPT 
iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p tcp \ 
-s $IPADDR --source-port SUNPRIVPORTS \ 
--destination-port 25 -—j ACCEPT 
# 
# SSH server (22) 
# 
iptables -A INPUT -i SEXTERNAL_INTERFACE -p tcp \ 
--source-port $SSH_REMOTE_PORTS \ 
-d SIPADDR --destination-port 22 -j ACCEPT 
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \ 
-s SIPADDR --source-port 22 \ 
—-destination-port SSSH_REMOTE_PORTS -j ACCEPT 
# 
# SYSLOG server (514) 
# 
# Provides full remote logging. Using this feature you're able to 


# control all syslog messages on one host. 





# iptables -A INPUT -i SEXTERNAL_INTERFACE -p udp \ 

# -s SSYSLOG_CLIENT --source-port SUNPRIVPORTS \ 
# -d $IPADDR --destination-port 514 -j ACCEPT 

# 

# ICMP 

# pa aa 
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To prevent denial of service attacks based on ICMP bombs, filter 
incoming Redirect (5) and outgoing Destination Unreachable (3). 
Note, however, disabling Destination Unreachable (3) is not 
advisable, as it is used to negotiate packet fragment size. 





For bi-directional ping. 
Message Types: Echo_Reply (0), Echo_Request (8) 
To prevent attacks, limit the src addresses to your ISP range. 








For outgoing traceroute. 
Message Types: INCOMING Dest_Unreachabl (3), Time_Exceeded (11) 
default UDP base: 33434 to base+nhops-1 








For incoming traceroute. 
Message Types: OUTGOING Dest_Unreachabl (3), Time_Exceeded (11) 
To block this, deny OUTGOING 3 and 11 








echo-reply (pong) 

destination-unreachable, port-unreachable, fragmentation-needed, etc. 
source-quench 

redirect 

echo-request (ping) 

time-exceeded 

parameter-problem 











NrRrFOoOW BW O 


Re 

















iptables -A INPUT -i SEXTERNAL_INTERFACE -p icmp \ 
icmp-typ cho-reply \ 
-d S$IPADDR -j ACCEPT 





























iptables -A INPUT -i SEXTERNAL_INTERFACE -p icmp \ 
icmp-type destination-unreachable \ 
-d SIPADDR —}j ACCEPT 














iptables -A INPUT -i SEXTERNAL_INTERFACE -p icmp \ 
icmp-type source-quench \ 
-d SIPADDR —}j ACCEPT 


























iptables -A INPUT -i SEXTERNAL_INTERFACE -p icmp \ 
icmp-type tim xceeded \ 
-d SIPADDR -j ACCEPT 


























iptables -A INPUT -i SEXTERNAL_INTERFACE -p icmp \ 
icmp-type parameter-problem \ 
-d SIPADDR -j ACCEPT 





























c 
td 
c 

| 
oe) 
Wy 
pa 
vs) 
Zz 
> 





iptables -A O , INTERFACE -p icmp \ 
-s SIPADDR icmp-type fragmentation-needed -—j ACCEPT 




















iptables -A O EXTERNAL_INTERFACE -p icmp \ 
-s SIPADDR icmp-type source-quench -—j ACCEPT 


fe 
tu 
Cc 

| 
12) 
WY 














iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p icmp \ 
-s SIPADDR icmp-typ cho-request -—j ACCEPT 










































































iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p icmp \ 
-s SIPADDR icmp-type parameter-problem -j ACCEPT 


























Enable logging for selected denied packets 
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iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp —-j DROP 














iptables -A INPUT -i SEXTERNAL_INTERFACE -p udp \ 
--destination-port SPRIVPORTS -j DROP 





























iptables -A INPUT -i SEXTERNAL_INTERFACE -p udp \ 
--destination-port SUNPRIVPORTS -j DROP 














iptables -A INPU -i SEXTERNAL_INTERFACE -p icmp \ 
icmp-type 5 -j DROP 























iptables -A INPU -i SEXTERNAL_INTERFACE -p icmp \ 
--icmp-type 13/255 -j DROP 




































































iptables -A OUTPUT -o SEXTERNAL_INTERFACE -Jj REJECT 
# 
‘7 
stop) 
echo -n "Shutting Firewalling: " 
# Remove all existing rules belonging to this filter 
iptables -F 
# Delete all user-defined chain to this filter 
iptables -X 
# Reset the default policy of the filter to accept. 
iptables -P INPUT ACCEP 
iptables -P OUTPUT ACCEP 
iptables -P FORWARD ACCEP 
‘7 
status) 
status iptables 
‘7 
restart | reload) 
$0 stop 
$O start 
‘7 
1) 
echo "Usage: iptables {start|stop|status|restart|reload}" 
exit 1 
esac 


echo "done" 


exit 0 


Step 2 

Once the script file has been created, it is important to make it executable, change its default 
permissions, create the necessary links and start it. Making this file executable will allow the 
system to run it, changing its default permission is to allow only the root user to change this file 
for security reasons, and creation of the symbolic links will let the process control initialization of 
Linux, which is in charge of starting all the normal and authorized processes that need to run at 
boot time on your system, to start the script automatically for you at each boot. 
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e To make this script executable and to change its default permissions, use the command: 
root@deep / chmod 700 /etc/rce.d/init.d/iptables 
root@deep / chown 0.0 /etc/re.d/init.d/iptables 


e Tocreate the symbolic rc.d links for your firewall, use the following command: 
root@deep / chkconfig --add iptables 
root@deep / chkconfig --level 2345 iptables on 


e To manually stop the firewall on your system, use the following command: 
root@deep / /etc/re.d/init.d/iptables stop 
Shutting Firewalling Services: [OK] 














e To manually start the firewall on your system, use the following command: 
[root@deep /]# /etc/re.d/init.d/iptables start 
Starting Firewalling Services: [OK] 


Now, your firewall rules are configured to use System V init (System V init is in charge of starting 
all the normal processes that need to run at boot time) and it will be automatically started each 
time your server boots. 








WARNING: Don't try to edit the above script with MS Wordpad or some similar program or strange 
characters will appear in the firewall script file under Linux. Instead use the vi editor of Linux to 
edit the file and everything will work fine for you. You have been warned. 





/etc/rce.d/init.d/iptables: The Primary Domain Name Server File 
This is the configuration script file for our Primary Domain Name Server. This secure 
configuration allows unlimited traffic on the Loopback interface, ICMP, DNS Full Server and Client 
(53), SSH Server (22), SMTP Client (25), and Outgoing Traceroute requests by default. 


If you don’t want some services listed in the firewall rules files for the Primary Domain Name 
Server that | make ON by default, comment them out with a "#" at the beginning of the line. If you 
want some other services that | commented out with a "#", then remove the "#" at the beginning 
of their lines. The text in bold are the parts of the configuration that must be customized and 
adjusted to satisfy your needs. 


Step 1 
Create the iptables script file (touch /etc/rc.d/init.d/iptables) on your Primary 
Domain Name Server and add the following lines: 
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Copyright (C) 1999, 2001 OpenNA.com 
Last modified by Gerhard Mourani: 04-01 
This firewall configuration is suitable 


-2001 <http://www.openna.com/> 
for Primary/Master DNS Server. 





Invoked from /etc/rc.d/init.d/iptables. 

chkconfig: 60 95 

description: Starts and stops the IPTABL 
used to provide firewall ne 


Source function library. 
/etc/re.d/init.d/functions 


Source networking configuration. 
/etc/sysconfig/network 





Check that networking is up. 














ES packet filter \ 





twork services. 
































if [ ${NETWORKING} = "no" ] 
then 
exit 0 
Fi 
if [ ! -x /sbin/iptables ]; then 
exit 0 
Fi 
Ss how we were called. 
case "S1" in 
start) 
echo -n "Starting Firewalling: " 
Some definitions for easy maintenance. 
EDIT THESE TO SUIT YOUR SYSTEM AND ISP. 
IPADDR=*ifconfig ethO | fgrep -i inet | cut -d =f (2. oeut: -<de\- mie 
EXTERNAL_INTERFACE="eth0" Internet connected interfac 
LOOPBACK_INTERFACE="1lo" Your local naming convention 




















SECONDARY_NAMESERVER="*** 
#SYSLOG SERVER="*** #* 
SMTP_SERVER="*** «ee em 


RK eR eM 
*W 


LOOPBACK="127.0.0.0/8" 
CLASS_A="10.0.0.0/8" 
CLASS_B="172.16.0.0/12" 
CLASS_C="192.168.0.0/16" 
CLASS_D_MULTICAST="224.0.0.0/4" 
CLASS_E_RESERVED_NET="240.0.0.0/5" 
BROADCAST_SRC="0.0.0.0" 
BROADCAST_DEST="255.255.255.255" 
PRIVPORTS="0:1023" 
UNPRIVPORTS="1024:" 
































Your Secondary Name Server 
Your Syslog Internal Server 
Your Central Mail Hub Server 


se HE te He OH 


Reserved loopback addr range 
Class A private networks 
Class B private networks 
Class C private networks 
Class D multicast addr 

Class E reserved addr 
Broadcast source addr 
Broadcast destination addr 
Privileged port range 
Unprivileged port range 

















SSH_LOCAL_PORTS="1022:65535" 
SSH_REMOTE_PORTS="513:65535" 














The SSH client starts at 1023 and works down to 513 for each 
additional simultaneous connection originating from a privileged port. 
Clients can optionally be configured to use only unprivileged ports. 


# Port range for local clients 
# Port range for remote clients 
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RACEROUTE_S 


RC_PORTS= 














RACEROUTE_D 
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traceroute usually uses —-S 32769:65535 -D 33434:33523 


"32769: 65535" 


EST_PORTS="33434:33523" 

















Remove 
iptables 


Remove 
iptables 





iptables 
iptables 
iptables 








# 


all exis 
—-F 


any exis 


-X 


-P INPUT 
-P OUTPU 


Default policy is DENY 
Explicitly accept desired INCOMING & OUTGOING connections 


ting rules belonging to this filter 





ting user-defined chains. 


Set the default policy of the filter to deny. 





DROP 
T DROP 


-P FORWARD DROP 





# LOOPBACK 


# Unlimited traff 


iptables 
iptables 


-A INPUT 
-A OUTPU 


ic on the loopback interface. 











-i SLOOPBACK_INTERFACE - Jj ACC 
T -o SLOOPBACK_INTERFACE -j ACCI 
































# Network Ghouls 


Deny access to jerks 








/etc/re.d/rce.firewall.blocked contains a list of 
iptables -A INPUT -i SEXTERNAL_INTERFACE -s address -j DROP 
rules to block from any access. 























Refuse any connection from problem sites 

if [ -f /etc/rce.d/rce.firewall.blocked J]; then 
deny_file="/etc/re.d/rc.firewall.blocked" 
temp_file="/tmp/temp.ip.addresses" 





cat $deny_file | 


| awk ' 


sed -n BS fe TON COS TO) eS PNT pt N 


$1 ' > Stemp_file 


while read ip_addy 


do 


case Sip_addy i 


*) iptables 





iptables 
iptables 
iptables 
a 
esac 
done < $temp_fil 
rm -f£ Stemp_fil 








-A INPUT -i SEXTERNAL_INTERFACE -s Sip_addy -j DROP 
-A INPUT -i SEXTERNAL_INTERFACE -d Sip_addy -j DROP 
-A OUTPUT -o SEXTERNAL_INTERFACE -s $ip_addy -j REJEC 
-A OUTPUT -o SEXTERNAL_INTERFACE -d Sip_addy -j REJEC 











































































































unset temp_file 
unset deny_file 


fi 


> /dev/null 2>&1 
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SPOOFING & BAD ADDRESSES 

Refuse spoofed packets. 

Ignore blatantly illegal source addresses. 
Protect yourself from sending to bad addresses. 











Se SF SE OSE 


# Refuse incoming packets pretending to be from the external address. 
iptables -A INPUT -s $IPADDR -4j DROP 





# Refuse incoming packets claiming to be from a Class A, B or C private 
network 





iptables -A INPUT -s SCLASS_A -j DROP 
iptables -A INPUT -s SCLASS_B -—j DROP 
iptables -A INPUT -s SCLASS_C -j DROP 





# Refuse broadcast address SOURCE packets 
iptables -A INPUT -s SBROADCAST_DEST -j DROP 
iptables -A INPUT -d $BROADCAST_SRC -j DROP 











Refuse Class D multicast addresses 

ulticast is illegal as a source address. 
ulticast uses UDP. 
iptables -A INPUT -s SCLASS_D MULTICAST -j DROP 


Refuse Class E reserved IP addresses 
iptables -A INPUT -s SCLASS_E_RESERVED_NET -7j DROP 
































Refuse special addresses defined as reserved by the IANA. 

Note: The remaining reserved addresses are not included 
filtering them causes problems as reserved blocks are 

being allocated more often now. The following are based on 
reservations as listed by IANA as of 2001/01/04. Please regularly 
check at http://www.iana.org/ for the latest status. 

















Note: this list includes the loopback, multicast, & reserved addresses. 





























On. ewe - Can't be blocked for DHCP users. 
ALD rece — LoopBack 
1:69: 2540.4 * — Link Local Networks 
TWOP 0325, * — TEST-NET 
ZL4A=255. he - Classes D & E, plus unallocated. 
iptables -A INPUT -s 0.0.0.0/8 -j DROP 
iptables -A INPUT -s 127.0.0.0/8 -—j DROP 
iptables -A INPUT -s 169.254.0.0/16 -—j DROP 
iptables -A INPUT -s 192.0.2.0/24 -j DROP 
iptables -A INPUT -s 224.0.0.0/3 -j DROP 











# UDP TRACEROUTE 
# 














# Traceroute usually uses -S 32769:65535 -D 33434:33523 











iptables -A INPUT -i SEXTERNAL_INTERFACE -p udp \ 
--source-port STRACEROUTE_SRC_PORTS \ 
-d $IPADDR -—-destination-port S$TRACEROUTE_DEST_PORTS -j DROP 












































iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p udp \ 
-s SIPADDR --source-port STRACEROUTE_SRC_PORTS \ 
--destination-port $TRACEROUTE_DEST_PORTS -—4j ACCEPT 
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# DNS: full se 


rver (53) 





# 


# server/client to server query or response 


iptables -A IN 
—-sou 
-d $I 


iptables -A OU 
-s SI 


—-des 


iptables -A IN 








PUT -i SEXT 








ERNAL_INT 





ERFAC 





E —p udp 





















































--source-port 53 \ 

















































































































-d SIPADDR —-destination-port 53 -—j ACCEPT 
iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p udp \ 
-s SIPADDR --source-port 53 \ 
—-destination-port 53 -j ACCEPT 
# DNS client (53) 
# 
iptables -A INPUT -i SEXTERNAL_INTERFACE -p udp \ 
--source-port 53 \ 
-d SIPADDR —-destination-port SUNPRIVPORTS -j ACCE 
iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p udp \ 
-s $IPADDR --source-port SUNPRIVPORTS \ 
—-destination-port 53 -j ACCEPT 
iptables -A INPUT -i SEXTERNAL_INTERFACE -p tcp ! --syn \ 
--source-port 53 \ 
-d SIPADDR —-destination-port SUNPRIVPORTS -j ACCE 
iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p tcp \ 
-s $IPADDR --source-port SUNPRIVPORTS \ 
--destination-port 53 -j ACCEPT 
# DNS Zone Transfers (53) 
# 
iptables -A INPUT -i SEXTERNAL_INTERFACE -p tcp \ 
-s SSECONDARY_NAMESERVER --source-port SUNPRIVPORTS \ 
-d SIPADDR -—-destination-port 53 -j ACCEPT 
iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p tcp \ 
-s SIPADDR --source-port 53 \ 
-d SSECONDARY_NAM 


# 










































































\ 





rce-port SUNPRIVPORTS \ 
PADDR —-destination-port 53 -—j ACCEPT 
TPUT -o $EXTERNAL_INTERFACE -p udp \ 
PADDR --source-port 53 \ 
tination-port S$UNPRIVPORTS -j ACCEPT 
PUT -i SEXTERNAL_INTERFACE -p udp \ 














ESERVER -—-destination-port SUNPRIVPORTS -j ACCEPT 








# SSH server ( 
# 


22) 





iptables -A INPUT 


== SOU 


-i SEXTERNAL_INTERFACE -p tcp 
rce-port $SSH_REMOTE_PORTS \ 
-d SIPADDR --destination-port 22 -j ACCE 






































\ 
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iptables -A OUTPUT -o S$EXTERNAL_INTERFACE -p tcp ! --syn \ 
-s SIPADDR -—-source-port 22 \ 
—-destination-port SSSH_REMOTE_PORTS -j ACCEPT 
# 
# SYSLOG client (514) 
# 
# iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p udp \ 
# -s SIPADDR --source-port 514 \ 
# -d SSYSLOG_SERVER --destination-port SUNPRIVPORTS -j ACCEPT 
# 
# SMTP client (25) 
# 
iptables -A INPUT -i SEXTERNAL_INTERFACE -p tcp ! --syn \ 
-s SSMTP_SERVER --source-port 25 \ 
-d SIPADDR -—-destination-port SUNPRIVPORTS -—j ACCEPT 
iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p tcp \ 
-s $IPADDR --source-port SUNPRIVPORTS \ 
-d SSMTP_SERVER --destination-port 25 -— j ACCEPT 
# 
# ICMP 
# at ae 


Note, however, 
advisable, 


For bi-directional 


Message Types: 


Or 
Message Types: 


Por 
Message Types: 
To block this, 


echo-reply 


incoming Redirect 


To prevent attacks, 


default UDP base: 


(5) 


disabling Destination Unreachable 
as it is used to negotiat 





ping. 
Echo_Reply 








(0), Echo_Request 


outgoing traceroute. 





incoming traceroute. 


INCOMING Dest_Unreachabl (3); 
33434 to basetnhops-1 
OUTGOING Dest_Unreachabl (3), 





deny OUTGOING 3 and 11 


(pong) 





source-quench 
redirect 
echo-request 
time-exceeded 








NOrRPOoOW SW O 


a 


destination-unreachable, 


port-unreachable, 


(ping) 


parameter-problem 





iptables -A INPUT 




















icmp-typ 











-i SEXTERNAL_INTERFACE -p icmp \ 
cho-reply \ 
-d SIPADDR -j ACCEPT 
-i SEXTERNAL_INTERFACE -p icmp \ 


iptables -A INPUT 




















icmp-typ 


destination-unreachable \ 


To prevent denial of service attacks based on ICMP bombs, 
and outgoing Destination Unreachable 


(3) 


(8) 


limit the sre addresses to your ISP range. 


Time_ 


Time_ 


fragmentation-needed, 


filter 
(3). 
is not 


packet fragment size. 





Exceeded (11) 





Exceeded (11) 


etc. 
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-d S$IPADDR -j ACCEPT 
iptables -A INPUT -i SEXTERNAL_INTERFACE -p icmp \ 
icmp-type source-quench \ 
-d $IPADDR -j ACCEPT 
iptables -A INPUT -i SEXTERNAL_INTERFACE -p icmp \ 
icmp-type tim xceeded \ 
-d SIPADDR -4j ACCEPT 
iptables -A INPUT -i SEXTERNAL_INTERFACE -p icmp \ 
icmp-type parameter-problem \ 
-d SIPADDR -4j ACCEPT 
iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p icmp \ 
-s SIPADDR icmp-type fragmentation-needed -j ACCEPT 
iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p icmp \ 
-s SIPADDR icmp-type source-quench -—j ACCEPT 
iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p icmp \ 
-s SIPADDR icmp-typ cho-request -—j ACCEPT 
iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p icmp \ 
-s SIPADDR icmp-type parameter-problem -j ACCEPT 
Enable logging for selected denied packets 
iptables -A INPUT -i SEXTERNAL_INTERFACE -p tcp -7j DROP 
iptables -A INPU -i SEXTERNAL_INTERFACE -p udp \ 
--destination-port SPRIVPORTS -j DROP 
iptables -A INPU -i SEXTERNAL_INTERFACE -p udp \ 
--destination-port SUNPRIVPORTS -j DROP 
iptables -A INPU -i SEXTERNAL_INTERFACE -p icmp \ 
icmp-type 5 -j DROP 
iptables -A INPU -i SEXTERNAL_INTERFACE -p icmp \ 
--icmp-type 13/255 -j DROP 
iptables -A OUTPUT -o SEXTERNAL_INTERFACE -j REJECT 
it 
stop) 
echo -n "Shutting Firewalling: " 
# Remove all existing rules belonging to this filter 
iptables -F 
# Delete all user-defined chain to this filter 
iptables -X 
# Reset the default policy of the filter to accept. 
iptables -P INPUT ACCEP 
iptables -P OUTPUT ACCEP 
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iptables -P FORWARD ACCEPT 


tr 
status) 
status iptables 
restart |reload) 
$0 stop 
$0 start 
t) AF 
echo "Usage: iptables {start|stop|status|restart|reload}" 
exit 1 
esac 
echo "done" 


exit 0 


Step 2 

Once the script file has been created, it is important to make it executable, change its default 
permissions, create the necessary links and start it. Making this file executable will allow the 
system to run it, changing its default permission is to allow only the root user to change this file 
for security reasons, and creation of the symbolic links will let the process control initialization of 
Linux, which is in charge of starting all the normal and authorized processes that need to run at 
boot time on your system, to start the script automatically for you at each boot. 


e To make this script executable and to change its default permissions, use the command: 
root@deep / chmod 700 /etc/re.d/init.d/iptables 
root@deep / chown 0.0 /etc/re.d/init.d/iptables 


e Tocreate the symbolic rc.d links for your firewall, use the following command: 
root@deep / chkconfig --add iptables 
root@deep / chkconfig --level 2345 iptables on 


e To manually stop the firewall on your system, use the following command: 
root@deep / /etc/re.d/init.d/iptables stop 
Shutting Firewalling Services: [OK] 














e To manually start the firewall on your system, use the following command: 
[root@deep /]# /etc/re.d/init.d/iptables start 
Starting Firewalling Services: [OK] 


Now, your firewall rules are configured to use System V init (System V init is in charge of starting 
all the normal processes that need to run at boot time) and it will be automatically started each 
time your server boots. 





WARNING: Don't try to edit the above script with MS Wordpad or some similar program or strange 
characters will appear in the firewall script file under Linux. Instead use the vi editor of Linux to 
edit the file and everything will work fine for you. You have been warned. 
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/etc/rce.d/init.d/iptables: The Secondary Domain Name Server File 
This is the configuration script file for our Secondary Domain Name Server. This secure 
configuration allows unlimited traffic on the Loopback interface, ICMP, DNS Full Server and Client 
(53), SSH Server (22), SMTP Client (25), and Outgoing Traceroute requests by default. 


If you don’t want some services listed in the firewall rules files for the Secondary Domain Name 
Server that | make ON by default, comment them out with a "#" at the beginning of the line. If you 
want some other services that | commented out with a "#", then remove the "#" at the beginning 
of their lines. The text in bold are the parts of the configuration that must be customized and 
adjusted to satisfy your needs. 


Step 1 
Create the iptables script file (touch /etc/rc.d/init.d/iptables) on your Secondary 
Domain Name Server and add the following lines: 





!/bin/sh 





Copyright (C) 1999, 2001 OpenNA.com 
Last modified by Gerhard Mourani: 04-01-2001 <http://www.openna.com/> 
This firewall configuration is suitable for Secondary/Slave DNS Server. 





Invoked from /etc/rc.d/init.d/iptables. 

chkconfig: - 60 95 

description: Starts and stops the IPTABLES packet filter \ 
used to provide firewall network services. 





Source function library. 
/etc/re.d/init.d/functions 


Source networking configuration. 
/etc/sysconfig/network 





Check that networking is up. 








if [ S${NETWORKING} = "no" ] 
then 
exit 0 
Fi 
if [ ! -x /sbin/iptables ]; then 
exit 0 
fi 


# S how we were called. 
case "S1" in 
start) 
echo -n "Starting Firewalling: " 





# 
# Some definitions for easy maintenance. 
# EDIT THESE TO SUIT YOUR SYSTEM AND ISP. 


















































IPADDR=‘ifconfig ethO | fgrep -i inet | cut -d: -f 2 | cut -d \ -f 1° 
EXTERNAL_INTERFACE="eth0" # Internet connected interfac 
LOOPBACK_INTERFACE="1o" # Your local naming convention 
PRIMARY_NAMESERVER="*** ,** | ** /#" # Your Primary Name Server 
#SYSLOG_SERVER="*** /** /*#* *" # Your Syslog Internal Server 
SMTP_SERVER="*** ,** | *#* /*" # Your Central Mail Hub Server 
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LOOPBACK="127.0.0.0/8" 
CLASS_A="10.0.0.0/8" 
CLASS_B="172.16.0.0/12" 
CLASS_C="192.168.0.0/16" 
CLASS_D_MULTICAST="224.0.0.0/4" 
CLASS_E_RESERVED_NET="240.0.0.0/5" 
BROADCAST_SRC="0.0.0.0" 
BROADCAST_DEST="255.255.255.255" 
PRIVPORTS="0:1023" 
UNPRIVPORTS="1024:" 
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Class 
Class 
Class 
Class 
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Reserved loopback addr range 


A private networks 
B private networks 
C private networks 
D multicast addr 
E reserved addr 





Broadcast source addr 
Broadcast destination addr 
Privileged port range 
Unprivileged port range 








SSH_LOCAL_PORTS="1022:65535" 
SSH_REMOTE_PORTS="513:65535" 




















RACEROUTE_SRC_PORTS="32769:65535" 
RACEROUTE_DEST_PORTS="33434:33523" 




















The SSH client starts at 1023 and works down to 513 for each 
additional simultaneous connection originating from a privileged port. 
Clients can optionally be configured to use only unprivileged ports. 


# Port range for local clients 
# Port range for remote clients 


traceroute usually uses —-S 32769:65535 -D 33434:33523 








Default policy is DENY 














iptables -F 





iptables -X 





Remove any existing user-defined chains. 


Set the default policy of the filter to deny. 





iptables -P INPUT DROP 
iptables -P OUTPUT DROP 
iptables -P FORWARD DROP 








Explicitly accept desired INCOMING & OUTGOING connections 


Remove all existing rules belonging to this filter 






































# 

# LOOPBACK 

# ae oe ee 
# Unlimited traffic on the loopback interface. 
iptables -A INPUT -i SLOOPBACK_INTERFACE —-7j ACCEP 
iptables -A OUTPUT -o SLOOPBACK_INTERFACE -7j ACCEP 

# 








# Network Ghouls 


Deny access to jerks 





/etc/re.d/rce.firewall.blocked contains 





a list of 





iptables -A INPUT -i SEXTERNAL_INTERFAC 

















rules to block from any access. 


Refuse any connection from problem site 
if [ -f /etc/rce.d/rc.firewall.blocked ]; 
deny_file="/etc/re.d/rc.firewall.blocked" 
temp_file="/tmp/temp.ip.addresses" 





s 
then 


E -—s address -—j DROP 
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cat $deny_file | sed -n "s/*— ]*\([0-9.]*\).*S/\1/p" \ 
| awk ' S1 ' > Stemp_file 
while read ip_addy 
do 
case Sip_addy in 
*) iptables -A INPUT -i S$EXTERNAL_IN E -s Sip_addy -j DROP 
iptables -A INPUT -i SEXTERNAL_INTERFACE -d Sip_addy -j DROP 
iptables -A OUTPUT -o SEXTERNAL_INTERFACE -s Sip_addy -j REJEC 
iptables -A OUTPUT -o SEXTERNAL_INTERFACE -d Sip_addy -—j REJEC 








Pe) 
Hy 
QD 
Q 








































































































it 
esac 
done < $temp_fil 
rm -f Stemp_file > /dev/null 2>6&1 
unset temp_file 
unset deny_file 


























fi 
# 
# SPOOFING & BAD ADDRESSES 
# Refuse spoofed packets. 
# Ignore blatantly illegal source addresses. 
# Protect yourself from sending to bad addresses. 


# Refuse incoming packets pretending to be from the external address. 
iptables -A INPUT -s $IPADDR -4j DROP 





# Refuse incoming packets claiming to be from a Class A, B or C private 
network 


iptables -A INPUT -s SCLASS_A -j DROP 
iptables -A INPUT -s SCLASS_B -j DROP 
iptables -A INPUT -s SCLASS_C -—j DROP 





# Refuse broadcast address SOURCE packets 
iptables -A INPUT -s SBROADCAST_DEST -j DROP 
iptables -A INPUT -d $BROADCAST_SRC -j DROP 














Refuse Class D multicast addresses 

ulticast is illegal as a source address. 
ulticast uses UDP. 
iptables -A INPUT -s SCLASS_D_ MULTICAST -j DROP 


Refuse Class E reserved IP addresses 
iptables -A INPUT -s SCLASS_E_RESERVED_NET -7j DROP 



































Refuse special addresses defined as reserved by the IANA. 

Note: The remaining reserved addresses are not included 
filtering them causes problems as reserved blocks are 

being allocated more often now. The following are based on 
reservations as listed by IANA as of 2001/01/04. Please regularly 
check at http://www.iana.org/ for the latest status. 

















Note: this list includes the loopback, multicast, & reserved addresses. 





























ON artctid - Can't be blocked for DHCP users. 
LE nat — LoopBack 
1693254 6% ¢* —- Link Local Networks 
MOD Ori 2ie* — TEST-NET 
220-255 ge oy ® - Classes D & E, plus unallocated. 
iptables -A INPUT -s 0.0.0.0/8 -j DROP 
iptables -A INPUT -s 127.0.0.0/8 -4 DROP 
iptables -A INPUT -s 169.254.0.0/16 -—j DROP 
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iptables -A INPUT -s 192.0.2.0/24 -j DROP 
iptables -A INPUT -s 224.0.0.0/3 -j DROP 











# UDP TRACEROUTE 
# 














# traceroute usually uses -S 32769:65535 -D 33434:33523 











iptables -A INPUT -i SEXTERNAL_INTERFACE -p udp \ 
--source-port STRACEROUTE_SRC_PORTS \ 
-d SIPADDR -—-destination-port S$TRACEROUTE_DEST_PORTS -j DROP 



































iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p udp \ 
-s SIPADDR --source-port STRACEROUTE_SRC_PORTS \ 
—-destination-port STRACEROUTE_DEST_PORTS -j ACCEPT 












































# DNS: full server (53) 
# 





# server/client to server query or response 











iptables -A INPUT -i SEXTERNAL_INTERFACE -p udp \ 
—-source-port SUNPRIVPORTS \ 
-d SIPADDR --destination-port 53 -j ACCEPT 























iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p udp \ 
-s SIPADDR --source-port 53 \ 
--destination-port SUNPRIVPORTS -j ACCEPT 
































iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp \ 
--source-port 53 \ 
-d SIPADDR --destination-port 53 -j ACCEPT 























iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p udp \ 
-s SIPADDR --source-port 53 \ 
—-destination-port 53 -j ACCEPT 























# DNS client (53) 
# 


























iptables -A INPUT -i SEXTERNAL_INTERFACE -p udp \ 
--source-port 53 \ 
-d SIPADDR -—-destination-port SUNPRIVPORTS -j ACCEPT 














iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p udp \ 
-s $IPADDR --source-port SUNPRIVPORTS \ 
—-destination-port 53 -j ACCEPT 


























iptables -A INPUT -i SEXTERNAL_INTERFACE -p tcp ! --syn \ 
--source-port 53 \ 
-d SIPADDR —-destination-port SUNPRIVPORTS -j ACCEPT 




















iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p tcp \ 
-s $IPADDR --source-port SUNPRIVPORTS \ 
—-destination-port 53 -j ACCEPT 




















# DNS Zone Transfers (53) 
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# 























iptables -A INPUT -i SEXTERNAL_INTERFACE -p tcp \ 
-s SPRIMARY_NAMESERVER -—-source-port SUNPRIVPORTS \ 
-d SIPADDR --destination-port 53 -j ACCEPT 























iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p tcp \ 
-s SIPADDR --source-port 53 \ 
-d SPRIMARY_NAMESERVER -—-destination-port SUNPRIVPORTS -j ACC 



































# 





# SSH server (22) 
# 


























iptables -A INPUT -i SEXTERNAL_INTERFACE -p tcp \ 
--source-port $SSH_REMOTE_PORTS \ 
-d SIPADDR --destination-port 22 -j ACCEPT 





























iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \ 
-s SIPADDR -—-source-port 22 \ 
—-destination-port SSSH_REMOTE_PORTS -j ACCEPT 


























# 





# SYSLOG client (514) 
# 





iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p udp \ 
-s $IPADDR --source-port 514 \ 
-d S$SYSLOG_SERVER --destination-port SUNPRIVPORTS -j ACCEPT 

















# 

# SMTP client (25) 

# 

iptables -A INPUT -i SEXTERNAL_INTERFACE -p tcp ! --syn \ 

















-s SSMTP_SERVER --source-port 25 \ 
-d SIPADDR --destination-port SUNPRIVPORTS -—j ACCEPT 
































iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p tcp \ 
-s $IPADDR --source-port SUNPRIVPORTS \ 
-d S$SMTP_SERVER --destination-port 25 -— 4 ACCEPT 























# FTP server (21) 
# 





# incoming request 

iptables -A INPUT -i SEXTERNAL_INTERFACE -p tcp \ 
—-source-port SUNPRIVPORTS \ 
-d SIPADDR --destination-port 21 -j ACCEPT 
































iptables -A OUTPUT -o S$EXTERNAL_INTERFACE -p tcp ! --syn \ 
-s SIPADDR --source-port 21 \ 
--destination-port SUNPRIVPORTS -j ACCEPT 


























# PORT MODE data channel responses 
iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p tcp \ 
-s SIPADDR --source-port 20 \ 
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Message Types: 
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To block this, 
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attacks, 
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raceroute. 


deny 


Echo_Reply 


disabling Destination Unreachable 
as it is used to negotiat 








(0), 


Echo_Request 


(3) 


(8) 
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—-destination-port SUNPRIVPORTS -—j ACCEPT 
iptables -A INPUT -i SEXTERNAL_INTERFACE -p tcp ! --syn \ 
—-source-port SUNPRIVPORTS \ 
-d SIPADDR —-destination-port 20 -—j ACCEPT 
# PASSIVE MODE data channel responses 
iptables -A INPUT -i SEXTERNAL_INTERFACE -p tcp \ 
—-source-port SUNPRIVPORTS \ 
-d SIPADDR —-destination-port SUNPRIVPORTS -j ACCEPT 
iptables -A OUTPUT -o S$EXTERNAL_INTERFACE -p tcp ! --syn \ 
-s $IPADDR --source-port SUNPRIVPORTS \ 
-—-destination-port SUNPRIVPORTS -j ACCEPT 
# ICMP 
To prevent denial of service attacks based on ICMP bombs, filter 
incoming Redirect (5) and outgoing Destination Unreachable (3). 


is not 


packet fragment size. 


limit the src addresses to your ISP range. 





INCOMING Dest_Unreachabl 
33434 to basetnhops-1 


(3), 





OUTGOING Dest_Unreachabl 


OUTGOING 3 and 11 


(3), 
















































































0: echo-reply (pong) 
3: destination-unreachable, port-unreachable, 
4: source-quench 
5: redirect 
8: echo-request (ping) 
11: time-exceeded 
12: parameter-problem 
iptables -A INPUT -i SEXTERNAL_INTERFACE -p 
icmp-typ cho-reply \ 
-d S$IPADDR -j ACCEPT 
iptables -A INPUT -i SEXTERNAL_INTERFACE -p 
icmp-type destination-unreachable 
-d S$IPADDR -j ACCEPT 
iptables -A INPUT -i SEXTERNAL_INTERFACE -p 
icmp-type source-quench \ 
-d SIPADDR -j ACCEPT 
iptables -A INPUT -i SEXTERNAL_INTERFACE -p 
icmp-type tim xceeded \ 
-d SIPADDR -j ACCEPT 
iptables -A INPUT -i SEXTERNAL_INTERFACE -p 
































icmp \ 
icmp \ 
\ 

icmp \ 
icmp \ 
icmp \ 


Time_ 


Time_ 


fragmentation-needed, 


Exceeded (11) 





Exceeded (11) 





etc. 
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icmp-type parameter-problem \ 
-d SIPADDR -j ACCEPT 
iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p icmp \ 
-s SIPADDR icmp-type fragmentation-needed -—j ACCEPT 
iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p icmp \ 
-s SIPADDR icmp-type source-quench -—j ACCEPT 
iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p icmp \ 
-s SIPADDR icmp-typ cho-request -—j ACCEPT 
iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p icmp \ 
-s SIPADDR icmp-type parameter-problem -j ACCEPT 
Enable logging for selected denied packets 
iptables -A INPUT -i SEXTERNAL_INTERFACE -p tcp —-7j DROP 
iptables -A INPU -i SEXTERNAL_INTERFACE -p udp \ 
--destination-port SPRIVPORTS - j DROP 
iptables -A INPU -i SEXTERNAL_INTERFACE -p udp \ 
-—-destination-port SUNPRIVPORTS -j DROP 
iptables -A INPU -i SEXTERNAL_INTERFACE -p icmp \ 
icmp-type 5 -—j DROP 
iptables -A INPU -i SEXTERNAL_INTERFACE -p icmp \ 
--icmp-type 13/255 -j DROP 
iptables -A OUTPUT -o SEXTERNAL_INTERFACE -j REJECT 





mr 


echo -n "Shutting Firewalling: 








stop) 
# 
iptables -F 
# Delete 
iptables -xX 
# Reset the 
iptables -P 
iptables -P 
iptables -P 
a 
status) 


default 


Remove all existing rules belonging to this filter 


all user-defined chain to this filter 


policy of the filter to accept. 





INPUT 





ACCEP 





OUTPUT 
FORWARD 


status iptables 


a 
restart | reload) 
$0 stop 
$0 start 


vr 


ACCEP 
ACCEP 











ay 
Dy 
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echo "Usage: iptables {start|stop|status|restart|reload}" 
exit 1 

esac 

echo "done" 


exit 0 


Step 2 

Once the script file has been created, it is important to make it executable, change its default 
permissions, create the necessary links and start it. Making this file executable will allow the 
system to run it, changing its default permission is to allow only the root user to change this file 
for security reason, and creation of the symbolic links will let the process control initialization of 
Linux, which is in charge of starting all the normal and authorized processes that need to run at 
boot time on your system, to start the script automatically for you at each reboot. 


e To make this script executable and to change its default permissions, use the command: 
root@deep / chmod 700 /etc/re.d/init.d/iptables 
root@deep / chown 0.0 /etc/re.d/init.d/iptables 


e Tocreate the symbolic rc.d links for your firewall, use the following command: 
root@deep / chkconfig --add iptables 
root@deep / chkconfig --level 2345 iptables on 


e To manually stop the firewall on your system, use the following command: 
root@deep / /etc/re.d/init.d/iptables stop 
Shutting Firewalling Services: [OK] 














e To manually start the firewall on your system, use the following command: 
[root@deep /]# /etc/re.d/init.d/iptables start 
Starting Firewalling Services: [OK] 


Now, your firewall rules are configured to use System V init (System V init is in charge of starting 
all the normal processes that need to run at boot time) and it will be automatically started each 
time your server boots. 





WARNING: Don't try to edit the above script with MS Wordpad or some similar program or strange 
characters will appear in the firewall script file under Linux. Instead use the vi editor of Linux to 
edit the file and everything will work fine for you. You have been warned. 











NOTE: All the configuration files required for each software described in this book has been 
provided by us as a gzipped file, floppy—2.0.tgz for your convenience. This can be 
downloaded from this web address: ftp://ftp.openna.com/ConfigFiles-v2.0/floppy-2.0.tgz. You can 
unpack this to any location on your local machine, say for example /var/tmp, assuming you 
have done this your directory structure will be /var/tmp/floppy-2.0. Within this floppy 
directory each configuration file has its own directory for respective software. You can either cut 
and paste this directly if you are faithfully following our instructions from the beginning or 
manually edit these to modify to your needs. This facility is there though as a convenience but 
please don't forget ultimately it will be your responsibility to check, verify, etc. before you use 
them whether modified or as it is. 
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9 Networking - Firewall Masquerading & 
Forwarding 
In this Chapter 


Recommended RPM packages to be installed for a Gateway Server 
Building a kernel with Firewall Masquerading & Forwarding support 
/etc/re.d/init.d/iptables: The Gateway Server File 

Deny access to some address 

IPTABLES Administrative Tools 
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Recommended RPM packages to be installed for a Gateway Server 

A minimal configuration provides the basic set of packages required by the Linux operating 
system. A minimal configuration is a perfect starting point for building a secure operating system. 
Below is the list of all recommended RPM packages required to run your Linux server as a 
Gateway/Firewall Server. Remember that a Gateway Server is nothing other than a Linux server 
with a big firewall, which forwards all internal traffic to the Internet. 


This configuration assumes that your kernel is a monolithic kernel. Also, | suppose that you will 
install IPTABLES by RPM package. Therefore, IPTABLES RPM package is already included in 
the list below as you can see. All security tools are not installed, it is yours to install them as you 
need by RPM since compiler packages are not installed and included in the list. 








basesystem 
e2fsprogs 
iptables 
openssh-clients 
slang 


kernel 
openssh-server 
slocate 


bdflush 
file 
less 
openssl 
sysklogd 


bind 
filesystem 
libstdc++ 
pam 
syslinux 


bzip2 
fileutils 
libtermcap 
passwd 
SysVinit 


chkconfig 
findutils 
lilo 

popt 

tar 
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console-tools 
gawk 
logrotate 
procps 
termcap 


cpio 

gdbm 
losetup 
psmisc 
textutils 


cracklib 
gettext 
MAKEDEV 
pwdb 
tmpwatch 


cracklib-dicts 
glib 

man 

qmail 

utempter 


crontabs 
glibe 
mingetty 
readline 
util-linux 


db1 
glibc-common 
mktemp 
rootfiles 
vim-common 


db2 

grep 

mount 

rpm 
vim-minimal 


db3 

grofft 
ncurses 
sed 
vixie-cron 


dev 

gzip 
net-tools 
setup 
words 


devfsd 
info 
newt 
sh-utils 
which 


diffutils 
initscripts 
openssh 
shadow-utils 
zlib 


Tested and fully functional on OpenNA.com. 
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Linux Masquerading & Forwarding 


Abstract 

Unlike the firewall example configurations in the previous chapter, configuring a Linux Server to 
masquerade and forward traffic generally from the inside private network that has unregistered IP 
addresses (i.e. 192.168.1.0/24) to the outside network (i.e. the Internet) requires a special 
setup of your kernel and your firewall configuration scripts file. This kind of configuration is also 
known as a Gateway Server or Proxy Server (a machine that serves as a gateway for internal 
traffic to external traffic). This configuration must be set only if you have the intentions and the 
needs for this kind of service, and it’s for this reason that the configuration of the script file for the 
Gateway Server is in its own chapter. 


Masquerading means that if one of the computers on your local network for which your Linux 
machine (or Gateway/Proxy) acts as a firewall wants to send something to the outside, your 
machine can "masquerade" as that computer. In other words, it forwards the traffic to the 
intended outside destination, but makes it look like it came from the firewall machine itself. It 
works both ways: if the outside host replies, the Linux firewall will silently forward the traffic to the 
corresponding local computer. This way, the computers on your local network are completely 
invisible to the outside world, even though they can reach outside and can receive replies. This 
makes it possible to have the computers on the local network participate on the Internet even if 
they don’t have officially registered IP addresses. 


Building a kernel with Firewall Masquerading & Forwarding support 

Once again, the first thing you need to do is ensure that your kernel has been built with the 
netfilter infrastructure in it: netfilter is a general framework inside the Linux kernel, which other 
things (such as the iptables module) can plug into. 


Step 1 

This means you need kernel 2.4.0 or beyond, and answer “y” or “m’” to the following kernel 
configuration questions. Contrary to previous kernel generations (2.2.x) which only allow to build 
a modularized kernel with masquerading and forwarding support, the new generation of kernel 


(2.4.x) lets you build a Linux Gateway Server with features directly included in it by answering “y 
to the related masquerading and forwarding networking options. 


Below | assume that you want to build masquerading and forwarding support as well as the other 
firewall features as a modules into the kernel, of course if this is not the case, all you have to do is 
to answer to the related kernel options with “y” for yes intend of “m’ for module. Personally, | 
prefer to build masquerading and forwarding support directly into the kernel by answering “y” to 
all the questions. But it is up to you to decide which way is the best for your needs. For some of 
you that aren’t sure, | can say that in year 2000 some problems have been found in the tool 
responsible for loading modules in the system, these problems were related to some bugs in the 


code of the program, which allowed non root users to gain access to the system. 
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* Networking options 


Packet socket (CONFIG_PACKET) [Y/m/n/?] 

Packet socket: mmapped IO (CONFIG_PACKET_MMAP) [N/y/?] y 

Kernel/User netlink socket (CONFIG_NETLINK) [N/y/?] y 

Routing messages (CONFIG_RTNETLINK) [N/y/?] (NEW) y 

Netlink device emulation (CONFIG_NETLINK_DEV) [N/y/m/?] (NEW) y 

Network packet filtering (replaces ipchains) (CONFIG_NETFILTER) [N/y/?] y 
Network packet filtering debugging (CONFIG_NETFILTER_DEBUG) [N/y/?] (NEW) y 
Socket Filtering (CONFIG_FILTER) [N/y/?] 

Unix domain sockets (CONFIG_UNIX) [Y/m/n/?] 

TCP/IP networking (CONFIG_INET) [Y/n/?] 

IP: multicasting (CONFIG_IP_MULTICAST) [Y/n/?] n 

IP: advanced router (CONFIG_IP_ADVANCED_ROUTER) [N/y/?] y 

IP: policy routing (CONFIG_IP_MULTIPLE_TABLES) [N/y/?] (NEW) y 

IP: use netfilter MARK value as routing key (CONFIG_IP_ROUTE_FWMARK) [N/y/?] (NEW) y 
IP: fast network address translation (CONFIG_IP_ROUTE_NAT) [N/y/?] (NEW) y 

IP: equal cost multipath (CONFIG_IP_ROUTE_MULTIPATH) [N/y/?] (NEW) y 

IP: use TOS value as routing key (CONFIG_IP_ROUTE_TOS) [N/y/?] (NEW) y 

IP: verbose route monitoring (CONFIG_IP_ROUTE_VERBOSE) [N/y/?] (NEW) y 

IP: large routing tables (CONFIG_IP_ROUTE_LARGE_TABLES) [N/y/?] (NEW) y 
IP: kernel level autoconfiguration (CONFIG_IP_PNP) [N/y/?] 

IP: tunneling (CONFIG_NET_IPIP) [N/y/m/?] 

IP: GRE tunnels over IP (CONFIG_NET_IPGRE) [N/y/m/?] 

IP: TCP Explicit Congestion Notification support (CONFIG_INET_ECN) [N/y/?] 

IP: TCP syncookie support (disabled per default) (CONFIG_SYN_COOKIES) [N/y/?] y 


* 


* IP: Netfilter Configuration 

Connection tracking (required for masq/NAT) (CONFIG_IP_NF_CONNTRACK) [N/y/m/?] (NEW) m 
FTP protocol support (CONFIG_IP_NF_FTP) [N/m/?] (NEW) m 

IP tables support (required for filtering/masq/NAT) (CONFIG_IP_NF_IPTABLES) [N/y/m/?] (NEW) m 
limit match support (CONFIG_IP_NF_MATCH_LIMIT) [N/m/?] (NEW) m 

MAC address match support (CONFIG_IP_NF_MATCH_MAC) [N/m/?] (NEW) m 

netfilter MARK match support (CONFIG_IP_NF_MATCH_MARk) [N/m/?] (NEW) m 

Multiple port match support (CONFIG_IP_NF_MATCH_MULTIPORT) [N/m/?] (NEW) m 

TOS match support (CONFIG_IP_NF_MATCH_TOS) [N/m/?] (NEW) m 

Connection state match support (CONFIG_IP_NF_MATCH_STATE) [N/m/?] (NEW) m 

Packet filtering (CONFIG_IP_NF_FILTER) [N/m/?] (NEW) m 

REJECT target support (CONFIG_IP_NF_TARGET_REJECT) [N/m/?] (NEW) m 

Full NAT (CONFIG_IP_NF_NAT) [N/m/?] (NEW) m 

MASQUERADE target support (CONFIG_IP_NF_TARGET_MASQUERADE) [N/m/?] (NEW) m 
REDIRECT target support (CONFIG_IP_NF_TARGET_REDIRECT) [N/m/?] (NEW) m 

Packet mangling (CONFIG_IP_NF_MANGLE) [N/m/?] (NEW) m 

TOS target support (CONFIG_IP_NF_TARGET_TOS) [N/m/?] (NEW) m 

MARK target support (CONFIG_IP_NF_TARGET_MARk) [N/m/?] (NEW) m 

LOG target support (CONFIG_IP_NF_TARGET_LOG) [N/m/?] (NEW) m 























If you enabled IP Masquerading and Forwarding support, then the following modules will 
automatically be compiled into the kernel if you have a monolithic kernel or compiled as modules 
if you have a modularized kernel. They are needed to make masquerading and other security 
features for these protocols to work: 


pt_limit.o 
pt_mac.o 
pt_mark.o 
pt_multiport.o 
pt_state.o 
pt_tos.o 
ptable_filter.o 
ptable_mangle.o 
ptable_nat.o 


ip_conntrack.o 
ip_conntrack_ftp.o 
ip_nat_ftp.o 
ip_tables.o 
ipt_LOG.o 
ipt_MARK.o 
ipt_MASQUERADE.o 
ipt_REDIRECT.o 
ipt_REJECT.o 
ipt_TOS.o 


BeBe eB BB 
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WARNING: If you have followed the Linux Kernel chapter and have recompiled your kernel, these 
options as shown above are already set. Don’t forget that only your Gateway/Proxy Server 
needs to have these kernel options (all features under IP: Netfilter Configuration) enabled. They 
are required to masquerade your Internal Network to the outside and to set ON some other 
features and security. Remember that other servers like the Web Server, Mail Server, Primary 
Domain Name Server and Secondary Domain Name Server examples don’t need to have these 
options enabled since they either have a real IP address assigned or don’t act as a Gateway for 
the inside network. 





Step 2 
The IP masquerading code will only work if IP forwarding is enabled on your system. This feature 
is by default disabled and you can enable it with the following command: 


e To enable IPv4 forwarding on your Linux system, use the following command: 
Edit the sysct1l.conf file (vi /etc/sysctl.conf) and add the following lines: 





# Enable packet forwarding (required only for Gateway, VPN, Proxy, PPP) 
net.ipv4.ip_forward = 1 


You must restart your network for the change to take effect. The command to restart the network 
is the following: 


e To restart all network devices manually on your system, use the following command: 
[root@deep /]# /etc/re.d/init.d/network restart 


Setting network parameters [OK] 
Bringing up interface lo [OK] 
Bringing up interface eth0 [OK] 
Bringing up interface ethl [OK] 








WARNING: The IP forwarding line above is only required if you answered “y” or “m’ to all the kernel 
options under “IP: Netfilter Configuration” and choose to have a server act as a Gateway and 
masquerade for your inside network. 


There is another way to update the entry without restarting the network by using the following 
command into your terminal screen: 
[root@deep /]# sysctl -w net.ipv4.ip_forward=1 





Some Points to Consider 
You can safely assume that you are potentially at risk if you connect your system to the Internet. 
Your gateway to the Internet is your greatest exposure, so we recommend the following: 

v¥ The gateway should not run any more applications than are absolutely necessary. 


v The gateway should strictly limit the type and number of protocols allowed to flow through 
it (protocols potentially provide security holes, such as FTP and telnet). 


vy Any system containing confidential or sensitive information should not be directly 
accessible from the Internet. 
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/etc/rce.d/init.d/iptables: The Gateway Server File 

This is the configuration script file for our Gateway Server. This secure configuration allows 
unlimited traffic on the Loopback interface, Unlimited traffic within the local network, ICMP, DNS 
forward-only nameserver (53), SSH Server and Client (22), HTTP Client (80), HTTPS Client (443), 
POP Client (110), IMAP Client (143), NNTP NEWS Client (119), SMTP Client (25), TELNET client 
(23), AUTH client (113), WHOIS client (43), FINGER client (79), IRC Client (6667), ICQ Client 
(4000), FTP Client (20, 21), RealAudio / QuickTime Client, and Outgoing Traceroute requests by 
default. 

















If you don’t want some services listed in the firewall rules files for the Gateway Server that | make 
ON by default, comment them out with a "#" at the beginning of the line. If you want some other 
services that | commented out with a "#", then remove the "#" at the beginning of their lines. 


If you have a modularized kernel and have configured Masquerading on your server, don’t forget 
to uncomment the modules necessary to masquerade their respective services under the 
“FIREWALL MODULES” section of the firewall script file. The text in bold are the parts of the 
configuration that must be customized and adjusted to satisfy your needs. 


Step 1 
Create the iptables script file (touch /etc/rc.d/init.d/iptables) on your Gateway 
Server and add the following lines: 





!/bin/sh 





Copyright (C) 1999, 2001 OpenNA.com 
Last modified by Gerhard Mourani: 04-01-2001 <http://www.openna.com/> 
This firewall configuration is suitable for Gateway & Proxy Server. 





Invoked from /etc/rc.d/init.d/iptables. 

chkconfig: - 60 95 

description: Starts and stops the IPTABLES packet filter \ 
used to provide firewall network services. 





Source function library. 
. /etc/re.d/init.d/functions 


Source networking configuration. 
. /etc/sysconfig/network 








Check that networking is up. 





if [ S{NETWORKING} = "no" ] 
then 
exit 0 
fi 
if [ ! -x /sbin/iptables ]; then 
exit 0 
fi 


# = S how we were called. 
case "S1" in 
start) 
echo -n "Starting Firewalling: " 
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for easy maintenance. 
















































































EDIT THESE TO SUIT YOUR SYSTEM AND ISP. 











IPADDR=‘ifconfig ethO | fgrep -i inet | cut -d: -f 2 | cut -d \ -f 1° 
EXTERNAL_INTERFACE="eth0" # Internet connected interfac 
LOOPBACK_INTERFACE="1o" # Your local naming convention 
,OCAL_INTERFACE_1="ethi1" # Your Internal LAN interface 
INTRANET="*** | *% | #* | */24" # Your Private IP Addr Range 
PRIMARY_NAMESERVER="*** .** /** | *" # Your Primary Name Server 
SECONDARY_NAMESERVER="*** ,** /** /*" # Your Secondary Name Server 
#SYSLOG_SERVER="*** | ** /** *" # Your Syslog Internal Server 
LOOPBACK="127.0.0.0/8" Reserved loopback address 
range 

CLASS_A="10.0.0.0/8" Class A private networks 
CLASS_B="172.16.0.0/12" Class B private networks 
CLASS_C="192.168.0.0/16" Class C private networks 
CLASS_D_MULTICAST="224.0.0.0/4" Class D multicast addr 
CLASS_E_RESERVED_NET="240.0.0.0/5" Class E reserved addr 
BROADCAST_SRC="0.0.0.0" Broadcast source addr 
BROADCAST_DEST="255.255.255.255" Broadcast destination addr 
PRIVPORTS="0:1023" Privileged port range 
UNPRIVPORTS="1024:" Unprivileged port range 
































RAC 




















RAC 





The SSH client starts at 1023 and works down to 513 for each 
additional simultaneous connection originating from a privileged port. 
Clients can optionally be configured to use only unprivileged ports. 
SSH_LOCAL_PORTS="1022:65535" 
SSH_REMOTE_PORTS="513:65535" 


# Port range for local clients 
# Port range for remote clients 





traceroute usually uses —-S 32769:65535 -D 33434:33523 
EROUTE_SRC_PORTS="32769:65535" 
EROUTE_DEST_PORTS="33434:33523" 








FIREWALL MODULES 




















He HE HEHE OEE HEHE EE HE EE HE HE HE 


# Uncomment all 
# for modulariz 


# These modules 


of the following modules lines only 





d kernel system. 





/sbin/modprobe 
/sbin/modprobe 
/sbin/modprobe 
/sbin/modprobe 
/sbin/modprobe 
/sbin/modprobe 
/sbin/modprobe 
/sbin/modprobe 
/sbin/modprobe 
/sbin/modprobe 
/sbin/modprobe 
/sbin/modprobe 
/sbin/modprobe 
/sbin/modprobe 
/sbin/modprobe 
/sbin/modprobe 
/sbin/modprobe 
/sbin/modprobe 


are necessary to masquerade their respective services. 
ip_tables 
iptable_ nat 
ip_conntrack 
ip_conntrack_ftp 
ip_tables 
ip_nat_ftp 
ipt_LOG 

ipt_MARK 
ipt_MASQUERADE 
ipt_REDIRECT 
ipt_REJECT 
ipt_TOS 
ipt_limit 
ipt_mac 

ipt_mark 
ipt_multiport 
ipt_state 
ipt_tos 
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# /sbin/modprobe iptable_mangle 





se 


Default policy is DENY 
# Explicitly accept desired INCOMING & OUTGOING connections 





# Remove all existing rules belonging to this filter 
iptables -F 
iptables -F -t nat 





# Remove any existing user-defined chains. 
iptables -X 


# Set the default policy of the filter to deny. 
iptables -P INPUT DROP 
iptables -P OUTPUT DROP 
iptables -P FORWARD DROP 


















































# 

# LOOPBACK 

# Sh Ee , 
# Unlimited traffic on the loopback interface. 
iptables -A INPUT -i SLOOPBACK_INTERFACE —-7j ACCEP 
iptables -A OUTPUT -o SLOOPBACK_INTERFACE -7j ACCEP 

# 





# Unlimited traffic within the local network. 


# All internal machines have access to the fireall machine. 











iptables -A INPUT -i S$LOCAL_INTERFACE_1 -s SINTRAN 
iptables -A OUTPUT -o S$LOCAL_INTERFACE_1 -d SINTRAN 


-3 ACC! 
-3 ACC! 


















































# STATEFUL PART! 








# Kill malformed XMAS packets 
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP 
iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP 





# Kill malformed NULL packets 
iptables -A INPUT -p tcp --tcp-flags ALL NONE -—j DROP 
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP 














# Block faked, or "spoofed," packets from getting through the firewall. 
iptables -A FORWARD -i SLOCAL_INTERFACE_1 -s ! SINTRANET -j DROP 














# Allow all internal packets out of our network. 
iptables -A FORWARD -m stat stat EW,ESTABLISHED \ 
-i SLOCAL_INTERFACE_1 -s SINTRANET -—j ACCEPT 












































# Allow the associated packets with those connections back in. 
iptables -A FORWARD -m stat state ESTABLISHED, RELATED \ 
-i SEXTERNAL_INTERFACE -s ! SINTRANET -j ACCEPT 



























































# All internal traffic is masqueraded externally. 
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iptables -A POSTROUTING -t nat -o SEXTERNAL_INTERFACE -—j MASQUERADE 








# Blocks any forwards that come from Internet connection. Uncomment only for 
# users with modem device like "pppO". 





# iptables -A FORWARD -i $EXTERNAL_INTERFACE -m state \ 
# --state NEW, INVALID -j REJECT 





# Network Ghouls 


Deny access to jerks 





/etc/re.d/rce.firewall.blocked contains a list of 
iptables -A INPUT -i SEXTERNAL_INTERFACE -s address -j DROP 
rules to block from any access. 























Refuse any connection from problem sites 

if [ -f /etc/rce.d/rce.firewall.blocked ]; then 

deny_file="/etc/re.d/rc.firewall.blocked" 

temp_file="/tmp/temp.ip.addresses" 

cat Sdeny_file | sed -n SLL ab VGLO— 9s LAN ESL VL p™ 1X 

| awk ' S1 ' > Stemp_file 

while read ip_addy 

do 

case Sip_addy in 

*) iptables -A INPUT -i SEXTERNAL_INTERFACE -s Sip_addy -j DROP 

iptables -A INPUT -i SEXTERNAL_INTERFACE -d S$ip_addy -j DROP 
iptables -A OUTPUT -o SEXTERNAL_INTERFACE -s Sip_addy -—j REJEC 
iptables -A OUTPUT -o SEXTERNAL_INTERFACE -d Sip_addy -—j REJEC 




















































































































a 
esac 
done < $temp_fil 
rm -f Stemp_file > /dev/null 2>6&1 
unset temp_file 
unset deny_file 























fi 
# 
# SPOOFING & BAD ADDRESSES 
# Refuse spoofed packets. 
# Ignore blatantly illegal source addresses. 
# Protect yourself from sending to bad addresses. 


# Refuse incoming packets pretending to be from the external address. 
iptables -A INPUT -s SIPADDR -—j DROP 





# Refuse incoming packets claiming to be from a Class A, B or C private 
network 








iptables -A INPUT -s SCLASS_A -j DROP 
iptables -A INPUT -s SCLASS_B -—j DROP 
# iptables -A INPUT -s SCLASS_C -j DROP 


# Refuse broadcast address SOURCE packets 
iptables -A INPUT -s SBROADCAST_DEST -j DROP 
iptables -A INPUT -d $BROADCAST_SRC -j DROP 














# Refuse Class D multicast addresses 

# Multicast is illegal as a source address. 

# Multicast uses UDP. 

iptables -A INPUT -s SCLASS_D MULTICAST -7j DROP 
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iptables -A INPUT -s SCLASS_E_RESERVED_NET -j DROP 











Refuse special addresses defined as reserved by the IANA. 





One hat 

LO ek et 

VO9 254.5% * 

LODO 525% 

224-255 oh oka 
iptables -A INPUT -s 0.0 
iptables -A INPUT = Sil arT 
iptables -A INPUT -s 169 
iptables -A INPUT -s 192 
iptables -A INPUT -s 224 





Note: The remaining reserved addresses are not included 
filtering them causes problems as reserved blocks are 

being allocated more often now. The fo 
reservations as listed by IANA as of 2001/01/04. 
check at http://www.iana.org/ for the latest status. 


llowing are based on 
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Please regularly 





- Can't be blocked for DHCP users. 


— LoopBack 

—- Link Local 
— TEST-NET 

- Classes D 

















.0.0/8 -} DROP 


Networks 





& E, plus unallocated. 


.0.0.0/8 -j DROP 


-254.0.0/16 -Jj 


DROP 


.0.2.0/24 -j DROP 
.0.0.0/3 -3 DROP 


Note: this list includes the loopback, multicast, & reserved addresses. 











# UDP TRACEROUTE 
# 














# traceroute usually uses -S 32769:65535 -D 33434:33523 











EXT 

















iptables -A INPUT -i §$ 


ERNAL_INTERFAC 





E -p udp \ 


-—-source-port STRACEROUTE_SRC_PORTS \ 
-d $IPADDR -—-destination-port STRACEROUTE_DEST_PORTS -j DROP 











iptables -A OUTPUT -o §$ 





EXT 














ERNAL_INTERFAC 





E -p udp \ 





-s SIPADDR -—-source-port STRACE 


—-destination-por 














ROUTE_SRC_PORTS \ 














t STRACEROUTE 

















DEST_PORTS — 3 ACCEPT 








# DNS forward-only nameserver 


# 











EXT 











iptables -A INPUT -i §$ 
-s $PRIMARY_NAI 


ERNAL_INTERFAC 








ES 


ERVER --source 








-d SIPADDR --destination-port §$ 





iptables -A OUTPUT -o §$ 


EXT 


E -p udp \ 
-port 53 \ 











ERNAL_INTERFAC 


E -p udp \ 





-s SIPADDR --source-port $ 


-d $PRIMARY_NAI 





ES 











iptables -A INPUT -i §$ 


EXT 


UNPRIVPORTS \ 
ERVER --destination-port 53 -j ACC 


UNPRIVPORTS -—j ACCEPT 











ERNAL_INTERFAC 


EF -p tcp ! --syn \ 





-s $PRIMARY_NAI 





ES] 








-d SIPADDR --destination-port §$ 





iptables -A OUTPUT -o §$ 


EXT 


ERVER --source-port 53 \ 
UNPRIVPORTS -—j ACCEPT 








ERNAL_INTERFAC 





EF -p tcp \ 





-s SIPADDR --source-port §$ 








-d $PRIMARY_NAI 








ES 














iptables -A INPUT -i §$ 


EXT 


UNPRIVPORTS \ 
ERVER --destination-port 53 -j ACC 














ERNAL_INTERFAC 





E -p udp \ 














-—s SSECONDARY_ 











AM 


ESERVER --sour 








ce-port 53 \ 
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-d SIPADDR --destination-port SUNPRIVPORTS -—j ACCEPT 
iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p udp \ 

-s $IPADDR --source-port SUNPRIVPORTS \ 

-d SSECONDARY_NAMESERVER --destination-port 53 -—j ACC 
iptables -A INPUT -i SEXTERNAL_INTERFACE -p tcp ! --syn \ 

-s $SECONDARY_NAMESERVER --source-port 53 \ 

-d SIPADDR -—-destination-port SUNPRIVPORTS -—j ACCEPT 
iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p tcp \ 

-s $IPADDR --source-port SUNPRIVPORTS \ 

-d SSECONDARY_NAMESERVER -—-destination-port 53 -—j ACC 


# 
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# HTTP client 
# 


(80) 








iptables -A INPUT 








-i SEXT 








ERNAL_INT 





ERFAC 





--source-port 80 \ 





E -p tcp ! --syn \ 


UNPRIVPORTS -—j ACCEPT 





























-d SIPADDR --destination-port §$ 

iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p tcp \ 
-s $IPADDR --source-port SUNPRIVPORTS \ 
—-destination-port 80 -j ACCEPT 

# 

# HTTPS client (443) 


# 








iptables -A INPUT 








-i SEXT 








ERNAL_INT 





ERFAC 





--source-port 443 \ 


-d SIPADD 


R --destination-port $ 





iptables -A OUTPUT 


EF -p tcp ! --syn \ 





UNPRIVPORTS -—j ACCEPT 





-o SEXT 





ERNAL_INTERFAC 





EF -p tcp \ 























-s $IPADDR --source-port SUNPRIVPORTS \ 
—-destination-port 443 -—j ACCEPT 

# 

# WWW-CACHE client 

# 

iptables -A INPUT -i SEXTERNAL_INTERFACE -p tcp ! --syn \ 
--source-port 3128 \ 
-d SIPADDR --destination-port SUNPRIVPORTS -j ACCEPT 

iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p tcp \ 
-s SIPADDR --source-port SUNPRIVPORTS \ 
--destination-port 3128 -j ACCEPT 

# 





# NNTP NEWS client 
# 





(129) 








iptables -A INPUT 








-i SEXT 











ERFAC 





ERNAL_INT 


--source-port 119 \ 
-d SIPADDR --destination-port $ 





iptables -A OUTPUT 


EF -p tcp ! --syn \ 





UNPRIVPORTS -—j ACCEPT 








-o SEXT 








ERNAL_INT 





ERFAC 





EF -p tcp \ 
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-s SIPADDR --source-port SUNPRIVPORTS \ 
-—-destination-port 119 -j ACCEPT 
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# 

# POP client (110) 

# 

iptables -A INPUT -i SEXTERNAL_INTERFACE -p tcp ! --syn \ 














-—-source-port 110 \ 
-d SIPADDR -—-destination-port SUNPRIVPORTS -—j ACCEPT 














iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p tcp \ 
-s $IPADDR --source-port SUNPRIVPORTS \ 
—-destination-port 110 -j ACCEPT 




















# 

# IMAP client (143) 

# 

iptables -A INPUT -i SEXTERNAL_INTERFACE -p tcp ! --syn \ 


--source-port 143 \ 
-d SIPADDR --destination-port SUNPRIVPORTS -j ACCEPT 


iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p tcp \ 
-s SIPADDR --source-port SUNPRIVPORTS \ 
--destination-port 143 -j ACCEPT 

















# 

# SMTP client (25) 

# 

iptables -A INPUT -i SEXTERNAL_INTERFACE -p tcp ! --syn \ 














--source-port 25 \ 
-d SIPADDR --destination-port SUNPRIVPORTS -—j ACCEPT 














iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p tcp \ 
-s $IPADDR --source-port SUNPRIVPORTS \ 
—--destination-port 25 -j ACCEPT 

















# 





# SSH server (22) 
# 














iptables -A INPUT -i SEXTERNAL_INTERFACE -p tcp \ 
--source-port $SSH_REMOTE_PORTS \ 
-d SIPADDR --destination-port 22 -j ACCEPT 



































iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \ 
-s SIPADDR --source-port 22 \ 
—-destination-port SSSH_REMOTE_PORTS -j ACCEPT 
































# SSH client (22) 
# 














iptables -A INPUT -i SEXTERNAL_INTERFACE -p tcp ! --syn \ 
-—-source-port 22 \ 

















-d SIPADDR --destination-port S$SSH_LOCAL_PORTS -j ACCE 
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iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p tcp \ 
-s $IPADDR --source-port $SSH_LOCAL_PORTS \ 
—-destination-port 22 -—j ACCEP 





























# 

# TELNET client (23) 

# 

iptables -A INPUT -i SEXTERNAL_INTERFACE -p tcp ! --syn \ 


-—-source-port 23 \ 
-d SIPADDR --destination-port SUNPRIVPORTS -j ACCEPT 


iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p tcp \ 
-s SIPADDR --source-port SUNPRIVPORTS \ 
--destination-port 23 -j ACCEPT 








# 

# AUTH server (113) 

# 

# Reject, rather than deny, the incoming auth port. (NET-3-HOWTO) 














iptables -A INPUT -i SEXTERNAL_INTERFACE -p tcp \ 
—-source-port SUNPRIVPORTS \ 
-d SIPADDR --destination-port 113 -j REJECT 





























# AUTH client (113) 
# 





iptables -A INPUT -i SEXTERNAL_INTERFACE -p tcp ! --syn \ 
--source-port 113 \ 
-d SIPADDR --destination-port SUNPRIVPORTS -j ACCEPT 


iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p tcp \ 
-s SIPADDR --source-port SUNPRIVPORTS \ 
--destination-port 113 -j ACCEPT 

















# 

# WHOIS client (43) 

# 

iptables -A INPUT -i SEXTERNAL_INTERFACE -p tcp ! --syn \ 














--source-port 43 \ 
-d SIPADDR -—-destination-port SUNPRIVPORTS -—j ACCEPT 














iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p tcp \ 
-s $IPADDR --source-port SUNPRIVPORTS \ 
-—-destination-port 43 -—j ACCEPT 























# 

# FINGER client (79) 

# 

iptables -A INPUT -i SEXTERNAL_INTERFACE -p tcp ! --syn \ 


--source-port 79 \ 
-d SIPADDR --destination-port SUNPRIVPORTS -j ACCEPT 


iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p tcp \ 
-s SIPADDR --source-port SUNPRIVPORTS \ 
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--destination-port 79 -j ACCEPT 
# FTP client (21) 
# outgoing request 
iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p tcp \ 
-s $IPADDR --source-port SUNPRIVPORTS \ 
--destination-port 21 -j ACCEPT 
iptables -A INPUT -i SEXTERNAL_INTERFACE -p tcp ! --syn \ 


# PORT mode da 
iptables -A IN 














-—-source-port 21 \ 
-d SIPADDR --destination-port §$ 


ta channel 











UNPRIVPORTS -—j ACCEPT 





PUT -i SEXTERNAL_INT 











ERFAC 


E -p tcp \ 





--source-port 20 \ 



















































































































































































-d SIPADDR -—-destination-port SUNPRIVPORTS -—j ACCEPT 
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \ 
-s $IPADDR --source-port SUNPRIVPORTS \ 
—--destination-port 20 -j ACCEPT 
# 
# IRC client (6667) 
# 
iptables -A INPUT -i SEXTERNAL_INTERFACE -p tcp ! --syn \ 
--source-port 6667 \ 
-d SIPADDR -—-destination-port SUNPRIVPORTS -j ACCEPT 
iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p tcp \ 
-s $IPADDR --source-port SUNPRIVPORTS \ 
--destination-port 6667 -—j ACCEPT 
iptables -A INPUT -i SEXTERNAL_INTERFACE -p tcp \ 
—-source-port SUNPRIVPORTS \ 
-d SIPADDR --destination-port SUNPRIVPORTS -—j ACCEPT 
iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p tcp \ 
-s $IPADDR --source-port SUNPRIVPORTS \ 
--destination-port SUNPRIVPORTS -j ACCEPT 
# 
# RealAudio / QuickTime client 
# 
iptables -A INPUT -i SEXTERNAL_INTERFACE -p tcp ! --syn \ 
--source-port 554 \ 
-d SIPADDR -—-destination-port SUNPRIVPORTS -j ACCEPT 
iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p tcp \ 
-s $IPADDR --source-port SUNPRIVPORTS \ 
—-destination-port 554 -j ACCEPT 
# TCP is a more secure method: 7070:7071 
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iptables -A INPUT -i SEXTERNAL_INTERFACE -p tcp ! --syn \ 
—-source-port 7070:7071 \ 
-d SIPADDR -—-destination-port SUNPRIVPORTS -—j ACCEPT 
iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p tcp \ 
-s $IPADDR --source-port SUNPRIVPORTS \ 
—-destination-port 7070:7071 -—j ACCEPT 
# UDP is the preferred method: 6970:6999 
# For LAN machines, UDP requires the RealAudio masquerading module and 
# the ipmasqadm third-party software. 
iptables -A INPUT -i SEXTERNAL_INTERFACE -p udp \ 
—-source-port SUNPRIVPORTS \ 
-d SIPADDR -—-destination-port 6970:6999 -—j ACCEPT 
iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p udp \ 
-s SIPADDR --source-port 6970:6999 \ 
—-destination-port SUNPRIVPORTS -j ACCEPT 
# 
# ICQ client (4000) 
# 
iptables -A INPUT -i SEXTERNAL_INTERFACE -p tcp ! --syn \ 
--source-port 2000:4000 \ 
-d SIPADDR -—-destination-port SUNPRIVPORTS -—j ACCEPT 
iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p tcp \ 
-s $IPADDR --source-port SUNPRIVPORTS \ 
-—-destination-port 2000:4000 -j ACCEPT 
iptables -A INPUT -i SEXTERNAL_INTERFACE -p udp \ 
--source-port 4000 \ 
-d SIPADDR -—-destination-port SUNPRIVPORTS -—j ACCEPT 
iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p udp \ 
-s $IPADDR --source-port SUNPRIVPORTS \ 
--destination-port 4000 -—j ACCEPT 
# 
# SYSLOG client (514) 
# 
# iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p udp \ 
# -s SIPADDR --source-port 514 \ 
# -d SSYSLOG_SERVER --destination-port SUNPRIVPORTS -j ACCEPT 
# 
# ICMP 
To prevent denial of service attacks based on ICMP bombs, filter 
incoming Redirect (5) and outgoing Destination Unreachable (3). 
Note, however, disabling Destination Unreachable (3) is not 
advisable, as it is used to negotiate packet fragment size. 








For bi-directional ping. 
Message Types: 
To prevent attacks, 








ay 


(0), 
limit the src 


Echo_Reply 


Echo_Request 


(8) 
addresses to your ISP range. 
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For outgoing traceroute. 








To block this, deny OUTGOING 3 and 11 
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Message Types: INCOMING Dest_Unreachabl (3), Time_Exceeded (11) 
default UDP base: 33434 to base+tnhops-1 

For incoming traceroute. 
Message Types: OUTGOING Dest_Unreachabl (3), Time_Exceeded (11) 


































































































0: echo-reply (pong) 
3: destination-unreachable, port-unreachable, fragmentation-needed, etc. 
4: source-quench 
5: redirect 
8: echo-request (ping) 
11: time-exceeded 
12: parameter-problem 
iptables -A INPUT -i SEXTERNAL_INTERFACE -p icmp \ 
icmp-typ cho-reply \ 
-d S$IPADDR -j ACCEPT 
iptables -A INPUT -i SEXTERNAL_INTERFACE -p icmp \ 
icmp-type destination-unreachable \ 
-d SIPADDR -j ACCEP 
iptables -A INPUT -i SEXTERNAL_INTERFACE -p icmp \ 
icmp-type source-quench \ 
-d SIPADDR -j ACCEP 
iptables -A INPUT -i SEXTERNAL_INTERFACE -p icmp \ 
icmp-type tim xceeded \ 
-d SIPADDR -4j ACCEPT 
iptables -A INPUT -i SEXTERNAL_INTERFACE -p icmp \ 
icmp-type parameter-problem \ 
-d S$IPADDR -j ACCEPT 
iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p icmp \ 
-s SIPADDR icmp-type fragmentation-needed -—j ACCEPT 
iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p icmp \ 
-s SIPADDR icmp-type source-quench -—j ACCEPT 
iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p icmp \ 
-s SIPADDR icmp-typ cho-request -—j ACCEPT 
iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p icmp \ 
-s SIPADDR icmp-type parameter-problem -j ACCEPT 
Enable logging for selected denied packets 
iptables -A INPUT -i SEXTERNAL_INTERFACE -p tcp —-j DROP 
iptables -A INPUT -i SEXTERNAL_INTERFACE -p udp \ 
--destination-port SPRIVPORTS -j DROP 
iptables -A INPUT -i SEXTERNAL_INTERFACE -p udp \ 
--destination-port SUNPRIVPORTS -j DROP 
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iptables -A INPU -i SEXTERNAL_INTERFACE -p icmp \ 
icmp-type 5 -j DROP 

















iptables -A INPU -i SEXTERNAL_INTERFACE -p icmp \ 
--icmp-type 13/255 -j DROP 

































































iptables -A OUTPUT -o SEXTERNAL_INTERFACE -j REJECT 
# 
‘7 
stop) 
echo -n "Shutting Firewalling: " 
# Remove all existing rules belonging to this filter 
iptables -F 
# Delete all user-defined chain to this filter 
iptables -X 
# Reset the default policy of the filter to accept. 
iptables -P INPUT ACCEP 
iptables -P OUTPUT ACCEP 
iptables -P FORWARD ACCEP 
status) 
status iptables 
‘7 
restart | reload) 
$0 stop 
$0 start 
‘7 
*) 
echo "Usage: iptables {start|stop|status|restart|reload}" 
exit 1 
esac 


echo "done" 


exit 0 


Step 2 

Once the script file has been created, it is important to make it executable, change its default 
permissions, create the necessary links and start it. Making this file executable will allow the 
system to run it, changing its default permission is to allow only the root user to change this file 
for security reasons, and creation of the symbolic links will let the process control initialization of 
Linux, which is in charge of starting all the normal and authorized processes that need to run at 
boot time on your system, to start the script automatically for you at each boot. 


e To make this script executable and to change its default permissions, use the command: 
root@deep / chmod 700 /etc/re.d/init.d/iptables 
root@deep / chown 0.0 /etc/rce.d/init.d/iptables 


e Tocreate the symbolic rc.d links for your firewall, use the following command: 
root@deep / chkconfig --add iptables 
root@deep / chkconfig --level 2345 iptables on 


e To manually stop the firewall on your system, use the following command: 
root@deep / /etc/re.d/init.d/iptables stop 
Shutting Firewalling Services: [OK] 
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e To manually start the firewall on your system, use the following command: 
[root@deep /]# /etc/re.d/init.d/iptables start 
Starting Firewalling Services: [OK] 


Now, your firewall rules are configured to use System V init (System V init is in charge of starting 
all the normal processes that need to run at boot time) and it will be automatically started each 
time your server boots. 








WARNING: Don't try to edit the above script with MS Wordpad or some similar program or strange 
characters will appear in the firewall script file under Linux. Instead use the vi editor of Linux to 
edit the file and everything will work fine for you. You have been warned. 











NOTE: All the configuration files required for each software described in this book has been 
provided by us as a gzipped file, floppy-—2.0.tgz for your convenience. This can be 
downloaded from this web address: ftp://ftp.openna.com/ConfigFiles-v2.0/floppy-2.0.tgz. You can 
unpack this to any location on your local machine, say for example /var/tmp, assuming you 
have done this your directory structure will be /var/tmp/floppy-2.0. Within this directory 
each configuration file has its own directory for respective software. You can either cut and paste 
this directly if you are faithfully following our instructions from the beginning or manually edit these 
to modify to your needs. This facility is there though as a convenience but please don't forget 
ultimately it will be your responsibility to check, verify, etc. before you use them whether modified 
or as itis. 





Deny access to some address 

Sometimes you'll know an address that you would like to block from having any access at all to 
your server. You can do that by creating the rc. firewall .blocked file under /etc/rc.d 
directory. Instead of entering the entire iptables line per ip address for those jerks on the 
internet, Michael Brown has provided a bit of code, which is already included in all firewall scripts 
files in this book, that will take a listing of IP address, strip out any comments and run the 
resulting list through an iptables routine. 


The net effect is to have the /etc/rc.d/rce. firewall .blocked file increase no more than 
needed, especially when one might have a large number of IP addresses to deny. 


Modification released under the GNU. There is no other error checking done...nor is their any 
warranty implied or expressed. Use at your own discretion and RISK. 


Here is asample rc. firewall .blocked file listing: 


# 333.444.555.666 # some comment about value one 

#  #444.555.666.777 # some more text 

# 555.666.777.888 # some comment on value three and line begins with spaces. 
# some text 666.777.888.999 # there might be text here too. 


# This will produce a temp.ipaddresses file listing of: 
# 333.444.555.666 
# 555.666.777.888 


# Then the case statement will put each IP address into the selected rules of deny/reject. 
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Step 1 

Create the rc. firewall .blocked file (touch /etc/rce.d/re.firewall.blocked) and 
add inside this file all the IP addresses that you want to block from having any access to your 
server at all. For example, I’ve put the following IP addresses in this file: 


204.254.45.9 # Cracker site with priority 01. 
187.231.11.5 # Spam site with priority 07. 
#214.34.144.4 # Temporaly reactivated, please verify with log file. 


Here we can see how this modified code can be useful. Now we can add the bad IP address, with 
some comments if necessary to remember actions taken for the specified IP address, into the 
/etc/rce.d/rce.firewall.blocked file. 


Step 2 
Once the “rc. firewall .blocked’” file has been created, it is time to check its permission 
mode and change its owner to be the super-user ‘root’. 


e To make this file executable and to change its default permissions, use the commands: 
[root@deep /]# chmod 644 /etc/re.d/re.firewall.blocked 
[root@deep /]# chown 0.0 /etc/rce.d/rce.firewall.blocked 


Further documentation 
For more details, there is manual page you can read: 


$ iptables-restore (8) - IP packet filter administration 
$ iptables-save (8) - Save IP Tables 
$ iptables (8) - Restore IP Tables 


IPTABLES Administrative Tools 
The commands listed below are some that we use often, but many more exist, and you should 
check the manual pages and documentation for more information. 


IPTABLES 

The iptables tool is used for the firewall packet filter administration of the Linux system. We 
can use it to set up a firewall rules file, as we are doing in this book. Once firewall rules have 
been created we can play with its many commands to maintain, and inspect the rules in the Linux 
kernel. 


e To list all rules in the selected chain, use the command: 
[root@deep /]# iptables -L 
Chain INPUT (policy DROP) 
target prot opt source destination 
ACCEPT all -- anywhere anywhere 





Chain FORWARD (policy DROP) 
target prot opt source destination 


Chain OUTPUT (policy DROP) 
target prot opt source destination 
ACCEPT all -- anywhere anywhere 





This command will list all rules in the selected chain. If no chain is selected, all chains are listed. 
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e To list all input rules in the selected chain, use the command: 


[root@deep /] 


iptables -L INPUT 


Chain INPUT (policy DROP) 











target 

ACCEP all 
ACCEP all -- 
DROP ali ss 
DROP all -- 
DROP all -- 





prot opt source 


anywhere 
192.168.1.0/24 
204.254.45.9 
LS7-2 231514559 
207 306785 





destination 
anywhere 
anywhere 
anywhere 
anywhere 
anywhere 


This command will list all input rules we have configured in the selected chain. 


e = To list all output rules in the selected chain, use the command: 


[root@deep /] 
Chain OUTPUT 











# iptables -L OUTPUT 
(policy DROP) 


target prot opt source 
ACCE all -- anywhere 
ACCEP all -- anywhere 
ACCEP udp. == -2074354:78.9 


spt:domain dpt:domain 








ACCE cep: ‘== 





207.35.78.5 


spts:1024:65535 dpt:domain 


destination 

anywhere 
192.168.1.0/24 

20:1-439 +1853 udp 


207.35.78.3 tcp 


This command will list all output rules we have configured in the selected chain. 


e = To list all forward rules in the selected chain, use the command: 
[root@deep /]# iptables -L FORWARD 


Chain FORWARD 








(policy DROP) 


target prot opt source 

DROP tcp -- anywhere 

DROP tcp -- anywhere 

DROP all -- !192.168.0.0/24 
ACCEP all -- 192.168.0.0/24 
ACCEP all -—- !192.168.0.0/24 








destination 
anywhere tcp 
anywhere tcp 
anywhere 
anywhere 
anywhere 


state NEW 
state 





This command will list all forward rules in the selected chain. This of course works only if you 
have configured Masquerading on your server (for gateway servers in general). 


e To list all rules in numeric output in the selected chain, use the command: 
[root@deep /]# iptables -nL 
Chain INPUT (policy DROP) 











target prot opt source 

ACCE all -- 0.0.0.0/0 
ACCEP all -- 192.168.1.0/24 
DROP all -- 204.254.45.9 





Chain FORWARD 
target 


Chain OUTPUT 











(policy DROP) 


prot opt source 


(policy DROP) 


target prot opt source 

ACCE all -- 0.0.0.0/0 
ACCEP all -- 0.0.0.0/0 
ACCEP udp -- 207.35.78.5 








destination 
0.0.0.0/0 
0.0.0.0/0 
0.0.0.0/0 


destination 


destination 
0.0.0.0/0 
192.168.1.0/24 
20%: 2 3532.78.55 


This command will list all rules in numeric output. All the IP addresses and port numbers will be 
printed in numeric format. 
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Part IV Cryptography & Authentication Related Reference 
In this Part 


Cryptography & Authentication - GnuPG 
Cryptography & Authentication - OPENSSL 
Cryptography & Authentication - OpenSSH 


In this part, we'll talk about three essential programs that | highly recommend you install in all of 
servers you may run. Those programs are vital to keep communications with your servers secure. 
Since the beginning of this book, we’ve been talking about network security and network security 
means secure communications; therefore it’s important to keep all communication as secure as 
possible. 


It’s not a plus to install those programs, it’s an absolute necessity. 
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10 Cryptography & Authentication - GnuPG 
In this Chapter 


Compiling - Optimizing & Installing GnuPG 
GnuPG Administrative Tools 
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Linux GnuPG 


Abstract 

At this point of our reading, we are ready to compile, configure, optimize and install software on 
our Linux server. Yes it is time, and we will begin our adventure with the powerful and easy to 
install GnuPG tool. Why do we choose to begin with GnuPG? The answer is simple, we are playing 
with a highly secured server and the first action to take each time we want to install some new 
software on this secured machine is to be absolutely sure that the software in question comes 
from a trusted source and is unmodified. With the GnuPG tool we can verify the supplied signature 
and be sure that the software is original. So it is recommended that this program is installed 
before any others. 


Encryption of data sources is an invaluable feature that gives us a high degree of confidentiality 
for our work. A tool like GnuPG does much more than just encryption of mail messages. It can be 
used for all kinds of data encryption, and its utilization is only limited by the imagination. The 
GnuPG RPM package comes already installed on you computer, but this version is not up to date 
and it’s recommended you install the latest release available for your server and CPU 
architecture. 


According to the official [GnuPG README] file: 

GnuPG is GNU's tool for secure data communication and storage. It can be used to encrypt data 
and to create digital signatures. It includes an advanced key management facility and is compliant 
with the proposed OpenPGpP Internet standard as described in RFC2440. Because GnuPG does 
not use any patented algorithm it is not compatible with PGP2 versions. PGP 2.x uses only IDEA 
(which is patented worldwide) and RSA (which is patented in the United States until Sep 20, 
2000). 





These installation instructions assume 

Commands are Unix-compatible. 

The source path is /var/tmp (note that other paths are possible, as personal discretion). 
Installations were tested on Red Hat 7.1. 

All steps in the installation will happen using the super-user account “root”. 

Whether kernel recompilation may be required: No 

Latest GnuPG version number is 1.0.6 


Packages 
The following are based on information as listed by GnuPG as of 2001/05/25. Please regularly 
check at www.gnupg.org for the latest status. 


Pristine source code is available from: 


GnuPG Homepage: http://www.gnupg.org/ 
GnuPG FTP Site: 134.95.80.189 


You must be sure to download: gnupg-1.0.6.tar.gz 
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Pristine source 

If you don’t use the RPM package to install this program, it will be difficult for you to locate all 
installed files into the system in the eventuality of an updated in the future. To solve the problem, 
it is a good idea to make a list of files on the system before you install GnuPG, and one 
afterwards, and then compare them using the diff utility of Linux to find out what files are 
placed where. 


e Simply run the following command before installing the software: 
root@deep /root find /* > GnuPG1 


e And the following one after you install the software: 
root@deep /root find /* > GnuPG2 


e Then use the following command to get a list of what changed: 
root@deep /root diff GnuPGl GnuPG2 > GnuPG-Installed 

















With this procedure, if any upgrade appears, all you have to do is to read the generated list of 
what files were added or changed by the program and remove them manually from your system 
before installing the new software. Related to our example above, we use the /root directory of 
the system to stock all generated list files. 


Compiling - Optimizing & Installing GnuPG 

Below are the required steps that you must make to configure, compile and optimize the GnuPG 
software before installing it into your Linux system. First off, we install the program as user ‘root’ 
so as to avoid authorization problems. 


Step 1 
Once you get the program from the main software site you must copy it to the /var/tmp 
directory and change to this location before expanding the archive. 


e These procedures can be accomplished with the following commands: 
[root@deep /]# cp gnupg-version.tar.gz /var/tmp/ 
[root@deep /]# cd /var/tmp/ 

[root@deep tmp]# tar xzpf gnupg-version.tar.gz 


Step 2 

In order to check that the version of GnuPG, which you are going to install, is an original and 
unmodified one, use the commands described below and check the supplied signature. Since we 
don’t have GnuPG already installed in the system, we have to verify the MD5 checksum of the 
program. 


e To verify the MD5 checksum of GnuPG, use the following command: 
[root@deep /]# md5sum gnupg-version.tar.gz 


This should yield an output similar to this: 
70319a9e5e70ad9bc3bf0d7b5008a508 gnupg-1.0.6.tar.gz 


Now check that this checksum is exactly the same as the one published on the GnuPG website at 
the following URL: http://www.gnupg.org/download.htm| 
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After that, move into the newly created GnuPG directory then configure and optimize it. 


To move into the newly created GnuPG directory use the following command: 
[root@deep tmp]# ced gnupg-1.0.6/ 


To configure and optimize GnuPG use the following compile lines: 

CFLAGS="-03 -march=i686 -mcpu=i686 -funroll-loops -fomit-frame-pointer” \ 
./configure \ 
--prefix=/usr \ 
--mandir=/usr/share/man \ 
--infodir=/usr/share/info \ 
--disable-nls 








WARNING: Pay special attention to the compile CFLAGS line above. We optimize GnuPG for an 
i686 CPU architecture with the parameter “-march=i686 and -mcpu=i686”. Please don’t forget 
to adjust the CFLAGS line to reflect your own system. 





Step 4 


Now, we must make a list of files on the system before you install the software, and one 
afterwards, then compare them using the diff utility to find out what files are placed where and 
finally install GnuPG in the server: 


root @deep 
root @deep 
root @deep 
root @deep 
root @deep 
root @deep 
root @deep 
root @deep 
root @deep 
root @deep 
root @deep 





gnupg-1. 
gnupg-1. 


/root] 
/root] 


gnupg-1. 
gnupg-1 
gnupg-1. 
gnupg-1. 
gnupg-1. 


/root] 











/root] 


find 


make 
cd 
/* > GnuPGl 


cd /var/tmp/gnupg-1.0.6/ 





find 
diff 








make check 

make install 

strip /usr/bin/gpg 

strip /usr/bin/gpgv 

cd 

/* > GnuPG2 
GnuPG1 GnuPG2 > GnuPG-Installed 


The above commands will configure the software to ensure your system has the necessary 
libraries to successfully compile the package, compile all source files into executable binaries, 
and then install the binaries and any supporting files into the appropriate locations. 


The make check will run any self-tests that come with the package and finally the strip 
command will reduce the size of the gpg and gpgv binaries to get the optimal performance of 
those programs. 
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Step 5 

Once compilation, optimization and installation of the software have been finished, we can free up 
some disk space by deleting the program tar archive and the related source directory since they 
are no longer needed. 


e Todelete GnuPG and its related source directory, use the following commands: 
[root@deep /]# cd /var/tmp/ 
[root@deep tmp]# rm -rf gnupg-version/ 
[root@deep tmp]# rm -f gnupg-version.tar.gz 


The rm command as used above will remove all the source files we have used to compile and 
install GnuPG. It will also remove the GnuPG compressed archive from the /var/tmp/ directory. 


GnuPG Administrative Tools 
The commands listed below are ones that we use often, but many more exist. Check the manual 
page gpg (1) for more information. 


Creating a key 
First of all, we must create a new key-pair (public and private) if this is a first use of the GnuPG 
software to be able to use its encryption features. 


e To create a new key-pair, use the following command: 

root@deep /]# gpg --gen-key 

gpg (GnuPG) 1.0.6; Copyright (C) 2000 Free Software Foundation, Inc. 
This program comes with ABSOLUTELY NO WARRANTY. 

This is free software, and you are welcome to redistribute it 

under certain conditions. See the file COPYING for details. 











gpg: /root/.gnupg: directory created 
gpg: /root/.gnupg/options: new options file created 
gpg: you have to start GnuPG again, so it can read the new options file 


e We start GnuPG again with the same command: 

root@deep /]# gpg --gen-key 

gpg (GnuPG) 1.0.6; Copyright (C) 2000 Free Software Foundation, Inc. 
This program comes with ABSOLUTELY NO WARRANTY. 

This is free software, and you are welcome to redistribute it 

under certain conditions. See the file COPYING for details. 








gpg: /root/.gnupg/secring.gpg: keyring created 
gpg: /root/.gnupg/pubring.gpg: keyring created 
Please select what kind of key you want: 
(1) DSA and ElGamal (default) 
(2) DSA (sign only) 
(4) ElGamal (sign and encrypt) 
Your selection? 1 
DSA keypair will have 1024 bits. 
About to generate a new ELG-E keypair. 
minimum keysize is 768 bits 
default keysize is 1024 bits 
highest suggested keysize is 2048 bits 
What keysize do you want? (1024) 1024 
Requested keysize is 1024 bits 
Please specify how long the key should be valid. 
0 = key does not expir 
































<n> = key expires inn days 
<n>w = key expires in n weeks 
<n>m = key expires in n months 
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<n>y = key expires inn years 
Key is valid for? (0) 0 
Key does not expire at all 
Is this correct (y/n)? y 





You need a User-ID to identify your key; the software constructs the user 
id from Real Name, Comment and Email Address in this form: 
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>" 








Real name: Gerhard Mourani 

Email address: gmourani@openna.com 

Comment: 

You selected this USER-ID: 

"Gerhard Mourani <gmourani@openna.com>" 











Change (N)ame, (C)omment, (E)mail or (0O)kay/(Q)uit? O 
You need a Passphrase to protect your secret key. 


Enter passphrase: mypassphrase 
Repeat passphrase: mypassphrase 





We need to generate a lot of random bytes. It is a good idea to perform 
some other action (type on the keyboard, move the mouse, utilize the 
disks) during the prime generation; this gives the random number 
generator a better chance to gain enough entropy. 














































































































































































































pe an A Sige pe ee 2 +4++ pS ge Se ee ae ee ae ee ee ee ee ae Oar: ee pe enh ‘atake Had a ‘ie pe Pi: Sig pe ee a ee es ee ee ee ee bd ee oa 
++++++44+ Se tL I a 
SS RARE Pia EE ose arene nets yar er ese vores. See PE EE ine ie eee os Way og Hes ep erg eg er She here Sears vee! ore: 
public and secret key created and signed. 


A new key-pair is created (secret and public key) in the “root” home directory ~/root. 


Exporting a key/s for a user 

Once your own key-pair is created, you can expand your horizons by exporting and distributing 
your public key over the world. This can be done by publishing it on your homepage, through an 
available key server on the Internet, or any other available method. GnuPG has some useful 
options to help you publish your public keys. 


e To extract your public key in ASCII armored output, use the following command: 
[root@deep /]# gpg --export -ao UID 


As an example: 
[root@deep /]# gpg --export -ao Gerhard Mourani 


ol 


Where “—-export” is for extracting Public-key from your pubring encrypted file, “a” is to create 


ASCII armored output that you can mail, publish or put it on a web page, “o” to put the result in a 
file and UID represents the user key you want to export. 
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Importing a key/s 

When you receive someone's public key (or some trusted third partly keys) you have to add them 
to your key database in order to be able to use his/her keys for future encryption, verification and 
authentication. 


e To import Public Keys to your keyring database, use the following command: 
[root@deep /]# gpg --import filename 


As an example: 

[root@deep /]# gpg --import redhat2.asc 

gpg: key DB42A60E: public key imported 

gpg: /root/.gnupg/trustdb.gpg: trustdb created 
gpg: Total number processed: 1 

gpg: imported: 1 





The above command will append the new key filename into the keyring database and will 
update all already existing keys. It is important to note that GnuPG does not import keys that are 
not self-signed (asc). 


Key signing 

When you import keys into your public keyring database and are sure that the trusted third party 
is really the person they claim, you can start signing his/her keys. Signing a key certifies that you 
know the owner of the keys and this leads to the situation where the signature acknowledges that 
the user ID mentioned in the key is actually the owner of that key. 


e To sign the key for company Red Hat that we have added into our keyring database 
above, use the following command: 
[root@deep /]# gpg --sign-key UID 


As an example: 
[root@deep /]# gpg --sign-key RedHat 

















pub 1024D/DB42A60E created: 1999-09-23 expires: never trust: —/q 
sub 2048g/961630A2 created: 1999-09-23 expires: never 

(1) Red Hat, Inc <security@redhat.com> 

pub 1024D/DB42A60E created: 1999-09-23 expires: never trust: —/q 


Fingerprint: CA20 8686 2BD6 9DFC 65F6 ECC4 2191 80CD DB42 





A60! 





Al 


Red Hat, Inc <security@redhat.com> 


Are you really sure that you want to sign this key 
with your key: "Gerhard Mourani <gmourani@openna.com>" 


Really sign? y 
You need a passphrase to unlock the secret key for 


user: "Gerhard Mourani <gmourani@openna.com>" 
1024-bit DSA key, ID 90883AB4, created 2000-10-24 








Enter passphrase: 








WARNING: You should only sign a key as being authentic when you are ABSOLUTELY SURE that 
the key is really authentic! You should never sign a key based on any kind of assumption. 
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Checking the signature 

We have shown above how to sign a key, now we will explain how people can verify if the 
signature is really the good one. Once you have extracted your public key and exported it, 
everyone who knows or gets your public key should be able to check whether encrypted data 
from you is also really signed by you. 


e To check the signature of encrypted data, use the following command: 
[root@deep /]# gpg --verify Data 


The “--verify’” option will check the signature where Data is the encrypted data/file you want 
to verify. 


Encrypt and decrypt 


After installing, importing, signing and configuring everything in the way that we want, we can 
start encrypting and decrypting our files. 


e To encrypt and sign data for the user Red Hat that we have added on our keyring 
database above, use the following command: 
[root@deep /]# gpg -sear RedHat file 


As an example: 
[root@deep /]# gpg -sear RedHat Message-to-RedHat .txt 


You need a passphrase to unlock the secret key for 
user: "Gerhard Mourani <gmourani@openna.com>" 
1024-bit DSA key, ID 90883AB4, created 2000-10-24 
Enter passphrase: 








Of the arguments passed, the “s” is for signing (To avoid the risk that somebody else claims to be 
you, it is very useful to sign everything you encrypt), “e” for encrypting, “a” to create ASCII 
armored output (“.asc” ready for sending by mail), “r” to encrypt the user id name and file is the 
message you want to encrypt. 


e To decrypt data, use the following command: 
[root@deep /]# gpg -d file 


For example: 

[root@deep /]# gpg -d Message—from—GerhardMourani.asc 

You need a passphrase to unlock the secret key for 

user: "Gerhard Mourani (Open Network Architecture) <gmourani@openna.com>" 
1024-bit DSA key, ID 90883AB4, created 2000-10-24 

Enter passphrase: 








Where “a” is for decrypting and file is the message you want to decrypt. It is important that the 
public key of the sender of the message we want to decrypt be in our public keyring database or 
of course nothing will work. 
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Some possible uses of GnuPG 
GnuPG can be used to: 


Encrypt data. 

Create digital signatures. 
Verify program source integrity. 
Sign individual sensitive files. 


PONS 


List of installed GnuPG files in your system 


> /usr/bin/gpg 

> /usr/bin/gpgv 

> /usr/lib/gnupg 

> /usr/lib/gnupg/rndunix 

> /usr/lib/gnupg/rndegd 

> /usr/lib/gnupg/tiger 

> /usr/share/man/man1/gpg.1 
> /usr/share/man/man1/gpgv. 1 
> /ust/share/gnupg 

> /usr/share/gnupg/options.skel 
> /usr/share/gnupg/FAQ 

> /usr/share/gnupg/fag.html 

> /usr/share/info 

> /ust/share/info/gpg.info 

> /usr/share/info/gpgv.info 
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11 Cryptography & Authentication - OPENSSL 
In this Chapter 


Compiling - Optimizing & Installing OpenssL 
Configuring OpenssL 

OpenSSL Administrative Tools 

Securing OpenSSL 
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Linux OPENSSL 


Abstract 

Most server software like IMAP & POP, SSH, Samba, Sendmail, OpenLDAP, FTP, Apache, and 
others that ask for users to authentice themselves before allowing access to services, by default 
they transmit the users’ login id and password in plain text. Alternatively, encryption mechanisms 
like SSL ensure safe and secure transactions. With this technology, data going over the network 
is point-to-point encrypted. Once OpenSSL has been installed on your Linux server you can use it 
as a third party tool to enable other applications with SSL functionality. 


As explained on the [OpenSSL web site]: 

The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, fully 
featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and 
Transport Layer Security (TLS v1) protocols with full-strength cryptography. Worldwide 
communities of volunteers that use the Internet to communicate, plan, and develop the OpenSSL 
toolkit and its related documentation manages the project. 


OpenSSL Protocol 
I'll use your public key I'll use the secret 
to send you a secret key key to send you 
If you are who you say you what you asked for 


are, you can read it with 
your private key 


I 
a 


Summary of the Cryptographic Thechnology. 


CLIENT REQUEST 





————— 
SERVER RESPONSE 


Cryptography Advantages 


The main advantages gained by using encryption technology are: 


Data Confidentiality 

When a message is encrypted, an algorithm converts it into enciphered text that hides the 
meaning of the message, which can then be sent via any public mechanism, and transforms the 
input plain text. This process involves a secret key that is used to encrypt and later decrypt the 
data. Without the secret key, the encrypted data is meaningless. 


Data Integrity 

A cryptographic checksum, called a message authentication code (MAC), can be calculated on 
arbitrarily user-supplied text to protect the integrity of the data. The results (text and MAC) are 
then sent to the receiver who can verify the trial MAC appended to a message by recalculating 
the MAC for the message, using the appropriate secret key and verifying that it exactly matches 
the trial MAC. 


Authentication 


Personal identification is another use of cryptography, where the user/sender knows a secret, 
which can serve to authenticate his/her identity. 
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Electronic Signature 
A digital signature assures the sender and receiver that the message is authentic and that only 
the owner of the key could have generated the digital signature. 


Disclaimer 

This software package uses strong cryptography, so even if it is created, maintained and 
distributed from liberal countries in Europe (where it is legal to do this), it falls under certain 
export/import and/or use restrictions in some other parts of the world. 


PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG CRYPTOGRAPHY 
SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST COMMUNICATING 
TECHNICAL DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS ILLEGAL IN SOME PARTS 
OF THE WORLD. SO, WHEN YOU IMPORT THIS PACKAGE TO YOUR COUNTRY, RE- 
DISTRIBUTE IT FROM THERE OR EVEN JUST EMAIL TECHNICAL SUGGESTIONS OR EVEN 
SOURCE PATCHES TO THE AUTHOR OR OTHER PEOPLE YOU ARE STRONGLY ADVISED 
TO PAY CLOSE ATTENTION TO ANY EXPORT/IMPORT AND/OR USE LAWS WHICH APPLY 
TO YOU. THE AUTHORS OF OPENSSL ARE NOT LIABLE FOR ANY VIOLATIONS YOU MAKE 
HERE. SO BE CAREFUL, IT IS YOUR RESPONSIBILITY. 


These installation instructions assume 

Commands are Unix-compatible. 

The source path is /var/tmp (note that other paths are possible, as personal discretion). 
Installations were tested on Red Hat 7.1. 

All steps in the installation will happen using the super-user account “root”. 

Whether kernel recompilation may be required: No 

Latest OpenSSL version number is 0.9.6a 


Packages 
The following are based on information as listed by OpenSSL as of 2001/04/13. Please regularly 
check at www.openssl.org for the latest status. 


Pristine source code is available from: 

OpenSSL Homepage: http://www.openssl.org/ 

OpenSSL FTP Site: 129.132.7.170 

You must be sure to download: openss1-0.9.6a.tar.gz 





Pristine source 

If you don’t use the RPM package to install this program, it will be difficult for you to locate all 
installed files into the system in the eventuality of an updated in the future. To solve the problem, 
it is a good idea to make a list of files on the system before you install OpenSSL, and one 
afterwards, and then compare them using the diff utility of Linux to find out what files are 
placed where. 


e Simply run the following command before installing the software: 
[root@deep /root]# find /* > OpenSSL1 


e And the following one after you install the software: 
[root@deep /root]# find /* > OpenSSL2 
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e Then use the following command to get a list of what changed: 
[root@deep /root]# diff OpenSSL1 OpenSSL2 > OpenSSL-Installed 


With this procedure, if any upgrade appears, all you have to do is to read the generated list of 
what files were added or changed by the program and remove them manually from your system 
before installing the new software. Related to our example above, we use the /root directory of 
the system to stock all generated list files. 


Compiling - Optimizing & Installing OpenssL 

Below are the required steps that you must make to configure, compile and optimize the 
OpenSSL software before installing it into your Linux system. First off, we install the program as 
user ‘root’ so as to avoid authorization problems. 


Step 1 
Once you get the program from the main software site you must copy it to the /var/tmp 
directory and change to this location before expanding the archive. 


e These procedures can be accomplished with the following commands: 
[root@deep /]# cp openssl-version.tar.gz /var/tmp/ 
[root@deep /]# cd /var/tmp/ 

[root@deep tmp]# tar xzpf openssl-version.tar.gz 


Step 2 
After that, move into the newly created OpenSSL directory then configure and optimize it. 


e Tomove into the newly created OpenSSL directory use the following command: 
[root@deep tmp]# cd openss1-0.9.6a/ 


Step 3 

By default, OpenSSL source files suppose that your per1 binary program is located under 
/usr/local/bin/perl. We must modify the “#! /usr/local/bin/per1’ line in all scripts 
that rely on per1 with OpenSSL to reflect our per1 binary program under Linux to be /usr/bin. 








e Topoint all OpenSSL script files to our per1 binary, use the following command: 
[root@deep openssl-0.9.6a]# perl util/perlpath.pl /usr/bin/perl 


Step 4 
At this stage, it is time to configure OpenSSL for our system. 


e Toconfigure and optimize OpenSSL, use the following compile lines: 
./Configure linux-elf no-idea no-mdc2 no-rce5 no-md2 \ 
--prefix=/usr \ 

--openssldir=/usr/share/ssl 
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Step 5 

After that there is one file to modify, this file is named Makefile. The changes we bring into it is 
to be adding our optimization flags to speed up the OpenSSL software. Also, we change the 
directory from where manual pages of OpenSSL will be installed to be under /usr/share/man 
directory. 


a) Edit the Makefile file (vi +60 Makefile) and change the following line: 


CFLAG= -fPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DNO_IDEA -—DNO_MDC2 
-DNO_RC5 -DNO_MD2 -DL_ENDIAN -DTERMIO -0O3 -fomit-—frame-pointer -m486 -Wall - 
DSHA1_ASM -—DMD5_ASM -—DRMD160_ASM 


To read: 


CFLAG= -fPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DNO_IDEA -—DNO_MDC2 
-DNO_RC5 —-DNO_MD2 -DL_ENDIAN -DTERMIO -0O3 -march=i686 -mcpu=i686 -funroll-loops - 
fomit-frame-pointer -Wall -DSHA1_ ASM -DMD5_ASM -DRMD160_ASM 








WARNING: Please don’t forget to adjust the above CFLAG line to reflect your own system and CPU. 
In the configure line, we disable support for old encryption mechanism like MD2, MDC2, RC5, and 
IDEA since there are rarely used and required now. 








b) Edit the Makefile file (vi +174 Makefile) and change the following line: 


MANDIR=S (OPENSSLDIR) /man 





To read: 


MANDIR=/usr/share/man 


Step 6 

Now, we must make a list of files on the system before you install the software, and one 
afterwards, then compare them using the diff utility to find out what files are placed where and 
finally install OpenSSL in the server: 


root@deep openssl-0.9.6a LD_LIBRARY_PATH=pwd* make 
root@deep openssl-0.9.6a LD_LIBRARY_PATH=pwd* make test 
root@deep openssl1-0.9.6a cd 

root@deep /root] find /* > OpensSSsL1 

root@deep /root]# cd /var/tmp/openssl1-0.9.6a/ 

root@deep openssl-0.9.6a make install 

root@deep openssl-0.9.6a strip /usr/bin/openssl 
root@deep openssl-0.9.6a mkdir -p /usr/share/ssl/crl 
root@deep openssl-0.9.6a /sbin/ldconfig 

root@deep openssl-0.9.6a cd 

root@deep /root]# find /* > OpenSSL2 

root@deep /root]# diff OpenSSL1 OpenSSL2 > OpenSSL-Installed 























The above commands will configure the software to ensure your system has the necessary 
libraries to successfully compile the package, compile all source files into executable binaries, 
and then test the OpenSSL libraries to finally install the binaries and any supporting files into the 
appropriate locations. 
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OpenSSL must know where to find the necessary OpenSSL source libraries to compile 
successfully its required files. With the command “LD_LIBRARY_PATH=* pwd”, as used in the 
compile lines, we set the PATH environment variable to the default directory where we have 
uncompressed the OpenSSL source files. 








NOTE: It is important to kown that RSAREF is not more needed, because RSA Security Inc. 
released the RSA public key encryption algorithm into the public domain on September 6, 2000. 
There is no longer any need to use RSAREF, and since RSAREF is slower than OpenSSL's RSA 
routines there's good reason not to. 














Step 7 

Once compilation, optimization and installation of the software have been finished, we can free up 
some disk space by deleting the program tar archive and the related source directory since they 
are no longer needed. 


e Todelete OpenSSL and its related source directory, use the following commands: 
[root@deep /]# cd /var/tmp/ 
[root@deep tmp]# rm -rf openssl-version/ 
[root@deep tmp]# rm -f openssl-version.tar.gz 


The rm command as used above will remove all the source files we have used to compile and 
install OpenSSL. It will also remove the OpenSSL compressed archive from the /var/tmp 
directory 


Configuring OpensSsL 
After building OpenSSL, your next step is to verify or change, if necessary, options in your 
OpenSSL configuration files. Those files are: 


¥ /usr/shared/ssl/openssl.cnf (The OpenSSL Configuration File) 
¥ /usr/shared/ssl/misc/sign.sh (The mod_ss1 CA scrip file to sign certificates) 





/usr/shared/ssl/openssl1.cnf: The OpenSSL Configuration File 

This is the general configuration file for OpenSSL program where you can configure expiration 
date of your keys, the name of your organization, the address and so on. The most important 
parameters you may change will be inthe [ CA_default ] and especially the [ 

req _distinguished_name ] sections. We must change the default one to fit our 
requirements and operating system. The text in bold are the parts of the configuration file that 
must be customized and adjusted to satisfy our needs. 


e §6Edit the openssl.cnf file(vi /usr/share/ssl/openssl.cnf) and set your needs. 











# 

# OpenSSL example configuration file. 

# This is mostly being used for generation of certificate requests. 
# 

# This definition stops the following lines choking if HOME isn't 

# defined. 

HOME, =. 

RANDF ILE = SENV: :HOME/.rnd 
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ER info: 
SENV: : HOME/ 
new_oids 


Extra OBJ 
oid_file 
oid_section 








ECT ID 





ENTIFI 














To use this configuration file with 
"openssl x509" utility, name here t 
X.509v3 extensions to use: 
extensions 
(Alternatively, us 
X.509v3 extensions in its main 





a configuration 
[= d 
] 


new_oids 


We can add new OIDs in here for use 
Add a simple OID like this: 


























testoid1l=1.2.3.4 
Or use config file substitution lik 
testoid2=S {testoidl}.5.6 
HHEPFEREEEREEEREE EEE ERE HERE EEE HEHE 
ca 
default_ca = CA_default 
HHEPFEEEEEREEEEEE EEE EEE HERE HEE HEHE 
[ CA_default ] 
dir = /usr/share/ssl 
certs = $dir/certs 
erl_dir = $dir/erl 
database = S$dir/ca.db.index 


new_certs dir S$dir/ca.db.certs 


certificate = $dir/certs/ca.crt 
serial = $dir/ca.db.serial 
erl = $dir/crl.pem 
private_key = $dir/private/ca.key 
RANDFILE = $dir/ca.db.rand 


x509_extensions usr_cert 





# Extensions to add to a CRL. Note: N 
# so this is commented out by default 
# crl_extensions = crl_ext 
default_days = 365 
default_crl_days= 30 

default_md = md5 

preserve = no 

# A few difference way of specifying 


# For type CA, the listed 
# and supplied fields are just that 
policy policy_match 


# For the CA policy 
[ policy_match ] 


countryName = match 
stateOrProvinceName = match 
organizationName = match 
organizationalUnitName = optional 
commonName = supplied 
emailAddress = optional 


attributes must be the same, 
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-oid 


the "-extfile" option of the 
he section containing the 


file that has only 
efault] section.) 


by 'ca' and 'req'. 


e this: 


HE EE EE HE HEE HE EH EE EEE HH 


The default ca section 





HE EE EE EE HEE HE EH EE EEE EHH 


Where everything is kept 

Where the issued certs are kept 
Where the issued crl are kept 
database index file. 

default place for new certs. 


se te HE OE HE 


The CA certificate 

The current serial number 
The current CRL 

The private key 

private random number file 


se te He te HE 


# The extentions to add to the cert 
etscape communicator chokes on V2 CRLs 


to leave a V1 CRL. 


how long to certify for 
how long before next CRL 
which md to use. 

keep passed DN ordering 


Se SF SE OSE 


how similar the request should look 
and the optional 
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# For the 'anything' policy 
# At this point in time, you must list all acceptable 'object' 
# types. 
[ policy_anything ] 
countryName = optional 
stateOrProvinceName = optional 
localityName = optional 
organizationName = optional 
organizationalUnitName = optional 
commonName = supplied 
emailAddress = optional 
HRT HEHEHE HE EEE HE HE HEE EE EEE EE EE EEE EE EEE HE EE EE EE EEE RE EE ERE EE EEE EE HE ERE 
[ req ] 
default_bits = 1024 
default_keyfile = privkey.pem 
distinguished_nam = req_distinguished_name 
attributes = regq_attributes 
x509_extensions = v3_ca # The extentions to add to the self signed cert 
# Passwords for private keys if not present they will be prompted for 





# input_password = secret 
# output_password = secret 


This sets a mask for permitted string types. There are several options. 
default: PrintableString, T61String, BMPString. 

pkix : PrintableString, BMPString. 

utf8only: only UTF8Strings. 

nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). 
MASK:XXXX a literal mask value. 

WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings 
so use this option with caution! 

string_mask = nombstr 














req_extensions = v3_req # Th xtensions to add to a certificate request 


[ req_distinguished_name ] 
countryName = Country Name (2 letter code) 


countryName_default = CA 

countryName_min = 2 

countryName_max = 2 

stateOrProvinceName = State or Province Name (full name) 
stateOrProvinceName_default = Quebec 

localityName = Locality Name (eg, city) 
localityName_default = Montreal 

0.organizationName = Organization Name (eg, company) 
0.organizationName_default = OpenNA.com 


# we can do this but it is not needed normally :-) 
#1.organizationName = Second Organization Name (eg, company) 
#1.organizationName_default = World Wide Web Pty Ltd 


organizationalUnitName 
organizationalUnitName_default 


Organizational Unit Name (eg, section) 
Network Operation Center 


commonName = Common Name (eg, YOUR name) 
commonName_default www.openna.com 
commonName_max = 64 
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emailAddress = Email Address 
emailAddress_default = noc@openna.com 
emailAddress_max = 40 

# SET-ex3 = SET extension number 3 








[ req_attributes ] 


challengePassword = A challenge password 
challengePassword_min = 8 

challengePassword_max = 20 

unstructuredName = An optional company name 


[ usr_cert ]J 


# These extensions are added when 'ca' signs a request. 





# This goes against PKIX guidelines but some CAs do it and some software 


# requires this to avoid interpreting an end user certificate as a CA. 


basicConstraints=CA:FALSI 





LEI 





Here are som xamples of the usage of nsCertType. If it is omitted 
the certificate can be used for anything *except* object signing. 


This is OK for an SSL server. 


nsCertType = server 


For an object signing certificate this would be used. 


nsCertType = objsign 


For normal client use this is typical 


nsCertType = client, email 





and for everything including object signing: 


nsCertType = client, email, objsign 











[This is typical in keyUsage for a client certificate. 
keyUsage = nonRepudiation, digitalSignature, keyEncipherment 














[This will be displayed in Netscape's comment listbox. 
nsComment = "OpenSSL Generated Certificate" 











PKIX recommendations harmless if included in all certificates. 
subjectKeylIdentifier=hash 
authorityKeyldentifier=keyid,issuer:always 








This stuff is for subjectAltName and issuerAltname. 
Import the email address. 
subjectAltName=email:copy 


Copy subject details 
issuerAltName=issuer:copy 


nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem 
nsBaseUrl 

nsRevocationUrl 

nsRenewalUrl 

nsCaPolicyUrl 

nsSslServerName 








v3_req ] 
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# Extensions to add to a certificate request 


basicConstraints = CA:FALSE 
keyUsage = nonRepudiation, digitalSignature, keyEncipherment 











[ v3_ca ] 





# Extensions for a typical CA 


# PKIX recommendation. 





subjectKeylIdentifier=hash 





authorityKeyldentifier=keyid:always,issuer:always 


This is what PKIX recommends but some broken software chokes on critical 
extensions. 


basicConstraints = critical, CA:true 
So we do this instead. 
basicConstraints = CA:true 
Key usage: this is typical for a CA certificate. However since it will 








prevent it being used as an test self-signed certificate it is best 
left out by default. 
keyUsage = cRLSign, keyCertSign 


Some might want this also 
nsCertType = sslCA, emailCA 


Include email address in subject alt name: another PKIX recommendation 
subjectAltName=email: copy 

Copy issuer details 

issuerAltName=issuer: copy 


DER hex encoding of an extension: beware experts only! 
obj J=DER: 02:03 

Where 'obj' is a standard or added object 

You can even override a supported extension: 
basicConstraints= critical, DER:30:03:01:01:FF 











crl_ext ] 


CRL extensions. 
Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. 














issuerAltName=issuer: copy 
authorityKeyldentifier=keyid:always,issuer:always 











WARNING: You don’t need to change all the default options set in the file openss1.cnf; The 
configurations you may usually change will be inthe [ CA_default ] and [ 
req distinguished_name ] sections. 
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/usr/share/ssl/misc/sign.sh: The Scrip File to Sign Certificates 

The openssl ca commands has some strange requirements and the default OpenSSL config 
doesn't allow one easily to use openss1 ca directly. It is for this reason that we don’t use the 
filles CA.p1 or CA. sh to sign certificates. To solve the problem, we'll create and customize the 
sign.sh script file below to replace them. The text in bold are the parts of the script file that must 
be customized and adjusted to satisfy our needs. 


Step 1 
Create the sign.sh script file (touch /usr/share/ssl/misc/sign.sh) and add into it the 
following lines: 


#!/bin/sh 
## 
## = Sign.sh -- Sign a SSL Certificate Request (CSR) 


## Copyright (c) 1998-1999 Ralf S. Engelschall, All Rights Reserved. 




















# argument line handling 
CSR=S1 
if [ S# -ne 1 J; then 
echo "Usage: sSign.sign <whatever>.csr"; exit 1 
fi 
if [ ! -f SCSR ]; then 
echo "CSR not found: SCSR"; exit 1 
HO 
case SCSR in 
*.csr ) CERT="*echo $CSR | sed -e 's/\.csr/.crt/'*" ;; 
* ) CERT="SCSR.crt" ;; 
esac 
# make sure environment exists 
if [ ! -d ca.db.certs J]; then 
mkdir ca.db.certs 
fi 
if [— ! -f ca.db.serial ]; then 
echo 'O1' >ca.db.serial 
fi 
if [— ! -f ca.db.index ]; then 
cp /dev/null ca.db.index 
fi 
# create an own SSLeay config 
cat >ca.config <<EOT 
[ ca ] 
default_ca = CA_own 
[ CA_own ] 
dir = /usr/share/ssl 
certs = /usr/share/ssl/certs 
new_certs_dir = /usr/share/ssl/ca.db.certs 
database = /usr/share/ssl/ca.db.index 
serial = /usr/share/ssl/ca.db.serial 
RANDFILE = /usr/share/ssl/ca.db.rand 
certificate = /usr/share/ssl/certs/ca.crt 
private_key = /usr/share/ssl/private/ca.key 
default_days = 365 
default_crl_days = 30 
default_md = md5 
preserve = no 
policy = policy_anything 
[ policy_anything ] 
countryName = optional 
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stateOrProvinceName = optional 

localityName = optional 

organizationName = optional 

organizationalUnitName = optional 

commonName = supplied 

emailAddress = optional 

EOT 





sign the certificate 

echo "CA signing: $CSR -> SCERT:" 

openssl ca -config ca.config -out SCERT -infiles SCSR 
echo "CA verifying: S$CERT <-> CA cert" 

openssl verify -CAfile /usr/share/ssl/certs/ca.crt $CERT 











# cleanup after SSLeay 
rm -f ca.config 

rm -f ca.db.serial.old 
rm -f ca.db.index.old 


# die gracefully 
exit 0 


Step 2 

Once the script file has been created, it is important to make it executable and change its default 
permissions. Making this file executable will allow the system to run it, changing its default 
permission is to allow only the root user to change this file for security reason. 


e To make this script executable and to change its default permissions, use the command: 
[root@deep /]# chmod 700 /usr/share/ssl/misc/sign.sh 
[root@deep /]# chown 0.0 /usr/share/ssl/misc/sign.sh 








WARNING: You can also find this program “sign.sh’” in the mod_ss1 distribution under the 
mod_ssl-version/pkg.contrib/ subdirectory, or on our floppy-2.0.tgz archive file. 
Also note that the section [ CA_own ] must be changed to refect your own environment and 
don’t forget to change the openssl verify -CAfile /usr/share/ssl/certs/ca.crt $CERT 
line too. 


All the configuration files required for each software described in this book has been provided by 
us as a gzipped file, floppy-2.0.tgz for your convenience. This can be downloaded from this 
web address: ftp://ftp.openna.com/ConfigFiles-v2.0/floppy-2.0.tgz. You can unpack this to any 
location on your local machine, say for example /var/tmp, assuming you have done this your 
directory structure will be /var/tmp/floppy-2.0. Within this floppy directory each 
configuration file has its own directory for respective software. You can either cut and paste this 
directly if you are faithfully following our instructions from the beginning or manually edit these to 
modify to your needs. This facility is there though as a convenience but please don't forget 
ultimately it will be your responsibility to check, verify, etc. before you use them whether modified 
or as itis. 
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OpenSSL Administrative Tools 

After your desired configuration options have been set and the program is running, we can play 
with its utility. As an example, we'll show you how to create certificates for Apache Webserver 
and your own CA (Certifying Authority) to sign your “Certificate Signing Request” yourself. All 
commands listed below are assumed to be made in the /usr/share/ss1 directory. 


Apache Key & CSR Generation 

The utility openss1 that you use to generate the RSA Private Key (Key) and the Certificate 
Signing Request (CSR) comes with Openss1 and is usually installed under the directory 
/usr/bin with our Linux distribution. Below is the step to create certificates for Apache with 
mod_ss1 Web server. 


Step 1 

First you have to know the Fully Qualified Domain Name (FQDN) of the website for which you 
want to request a certificate. When you want to access your website through 
https://www.mydomain.com/ then the FQDN of your website is www.mydomain.com. 


Step 2 
Second, select five large and relatively random files from your hard drive (compressed log files 
are a good start) and put them under your /usr/share/ss1 directory. These will act as your 


e To select five random files and put them under /usr/share/ss1, use the commands: 
[root@deep /]# cp /var/log/boot.log /usr/share/ssl/random1 
[root@deep /]# cp /var/log/cron /usr/share/ssl1/random2 

[root @deep 

[ 

[ 


] 
/|# ep /var/log/dmesg /usr/share/ssl1/random3 
root@deep /]# cp /var/log/messages /usr/share/ssl/random4 
root@deep /]# cp /var/log/secure /usr/share/ssl/random5 


Step 3 

Third, create the RSA private key protected with a pass-phrase for your Apache Web server. The 
command below will generate 1024 bit RSA Private Key and stores it in the file 
www.mydomain.com.key. It will ask you for a pass-phrase: use something secure and 
remember it. Your certificate will be useless without the key. If you don't want to protect your key 
with a pass-phrase (only if you absolutely trust that server machine, and you make sure the 
permissions are carefully set so only you can read that key) you can leave out the -des3 option 
below. 


e To generate the Key, use the following command: 
[root@deep /]# ed /usr/share/ss1/ 
[root@deep ssl]# openssl genrsa -des3 -rand 
random1: random2:random3:random4:random5 -out www.mydomain.com.key 1024 
123600 semi-random bytes loaded 
Generating RSA private key, 1024 bit long modulus 

















Patieleane! Slarelehe 6 teins auseaans +4+4+4++ 

Shed alee +++++ 

e is 65537 (0x10001) 

Enter PEM pass phrase: 

Verifying password — Enter PEM pass phrase: 
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WARNING: Please backup your www.mydomain.com.key file and remember the pass-phrase you 
had to enter at a secure location. A good choice is to backup this information onto a diskette or 
other removable media. 





Step 4 

Finally, generate a Certificate Signing Request (CSR) with the server RSA private key. The 
command below will prompt you for the x. 509 attributes of your certificate. Remember to give 
the name www.mydomain.com when prompted for “Common Name’. Do not enter your personal 
name here. We are requesting a certificate fora Web server, so the Common Name has to match 
the FQDN of your website (a requirement of the browsers). 


e To generate the CSR, use the following command: 
[root@deep ssl]# openssl req -new -key www.mydomain.com.key -out 
www.mydomain.com.csr 
Using configuration from /usr/share/ssl/openssl.cnf 
Enter PEM pass phrase: 
You are about to be asked to enter information that will be incorporated 
into your certificate request. 
What you are about to enter is what is called a Distinguished Name or a 
DN. 
There are quite a few fields but you can leave some blank 
For some fields there will be a default value, 
If you enter '.', the field will be left blank. 
Country Name (2 letter code) [CA]: 
State or Province Name (full name) [Quebec 
Locality Name (eg, city) [Montreal]: 
Organization Name (eg, company) [Open Network Architecture]: 
Organizational Unit Name (eg, section) [Network Operation Centre]: 
Common Name (eg, YOUR name) [www.openna.com]: 
Email Address [noc@openna.com]: 
































Pleas nter the following 'extra' attributes 
to be sent with your certificate request 

A challenge password []:. 

An optional company name []:. 











WARNING: Make sure you enter the FQDN (Fully Qualified Domain Name) of the server when 
OpenSSL prompts you for the “CommonName’” (i.e. when you generate a CSR for a website which 
will be later accessed via https: //www.mydomain.com/, enter www.mydomain.com here). 





After generation of your Certificate Signing Request (CSR), you must send this certificate to a 
commercial Certifying Authority (CA) like Thawte or Verisign for signing. You usually have to post 
the CSR into a web form, pay for the signing, await the signed Certificate and store it into a 
www.mydomain.com.crt file. The result is then a real Certificate, which can be used for 
Apache. 


280 








OpenSSL |]1 
CHAPTER | 1 


CA Key & CRT Generation 

If you don’t want to pay a commercial Certifying Authority (CA) to sign you certificates, you can 
use your own CA and now have to sign the CSR yourself by this cA. This solution is economical, 
and allows an organization to host their own CA server and generate as many certificates as they 
need for internal use without paying any cent to a commercial cA. Unfortunately using your own 
CA to generate certificates cause problems in electronic commerce, because customers need to 
have some trust in your organization by the use of recognized commercial cA. See below on how 
to sign a CSR with your CA yourself. 


Step 1 

As for the Apache Web server above, the first step is to create the RSA private key protected with 
a pass-phrase for your cA. The command below will generate 1024 bit RSA Private Key and 
stores it in the file ca. key. It will ask you for a pass-phrase: use something secure and 
remember it. Your certificate will be useless without the key. 


e To create the RSA private key for your (CA), use the following command: 
[root@deep /]# ed /usr/share/ss1/ 
[root@deep ssl]# openssl genrsa -des3 -out ca.key 1024 
Generating RSA private key, 1024 bit long modulus 














Beatie Ge 5 culo. S18 Bek Hie gba oOo aewtone! BESce +4++4+4+ 

BSR e ONS RSS tee OLN oR See SG oS eee LEO ae SARS eM Ores ase t+t++ 
e is 65537 (0x10001) 

Enter PEM pass phrase: 

Verifying password —- Enter PEM pass phrase: 




















WARNING: Please backup your ca. key file and remember the pass-phrase you had to enter ata 
secure location. A good choice is to backup this information onto a diskette or other removable 
media. 





Step 2 
Now, we must create a self-signed (CA) certificate (x509 structure) with the RSA key of the CA. 
The req command creates a self-signed certificate when the —-x509 switch is used. 


e To create a self-signed (CA) certificate, use the following command: 

[root@deep ssl]# openssl req -new -x509 -days 365 -key ca.key -out ca.crt 
Using configuration from /usr/share/ssl/openssl.cnf 

Enter PEM pass phrase: 

You are about to be asked to enter information that will be incorporated 
into your certificate request. 

What you are about to enter is what is called a Distinguished Name or a 
DN. 
There are quite a few fields but you can leave some blank 
For some fields there will be a default value, 

If you enter '.', the field will be left blank. 

Country Name (2 letter code) [CA]: 

State or Province Name (full name) [Quebec 
Locality Name (eg, city) [Montreal]: 
Organization Name (eg, company) [Open Network Architecture]: 
Organizational Unit Name (eg, section) [Network Operation 
Centre] :Marketing Department 

Common Name (eg, YOUR name) [www.openna.com]: 

Email Address [noc@openna.com] :sales@openna.com 
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Step 3 
Once the self-signed (CA) certificate has been created, we must place all certificates and ca files 
to their appropriate directory. 


e To place the files into their appropriate directory, use the following commands: 
[root@deep ssl]# mv www.mydomain.com.key private/ 
[root@deep ssl]# mv ca.key private/ 
[root@deep ssl]# mv ca.crt certs/ 


Step 4 

Finally, you can use this CA to sign all servers CSR's in order to create real SSL Certificates for 
use inside an Apache Web server (assuming you already have a www.mydomain.com.csr at 
hand). We must prepare the script sign. sh for signing (which is needed because the openssl 
ca command has some strange requirements, and the default OpenSSL config doesn't allow one 
easily to use openss1 ca directly). The script named sign. sh is distributed with the floppy disk 
under the OpenSSL directory. Use this script for signing. 


e To sign server CSR's in order to create real SSL Certificates, use the following command: 
[root@deep ssl]# /usr/share/ssl/misc/sign.sh www.mydomain.com.csr 
CA signing: www.mydomain.com.csr -> www.mydomain.com.crt: 

Using configuration from ca.config 

Enter PEM pass phrase: 

Check that the request matches the signature 

Signature ok 

The Subjects Distinguished Name is as follows 



























































countryName :PRINTABLE: 'CA' 

stateOrProvinceName : PRINTABLE: 'Quebec' 

localityName :PRINTABLE: 'Montreal' 

organizationName :PRINTABLE: 'Open Network Architecture' 
organizationalUnitName :PRINTABLE: 'Network Operation Centre’ 
commonName :PRINTABLE: 'www.openna.com' 

emailAddress : IASSTRING: 'noc@openna.com' 

Certificate is to be certified until Oct 18 14:59:29 2001 GMT (365 days) 
Sign the certificate? [y/n]:y 





1 out of 1 certificate requests certified, commit? [y/nly 
Write out database with 1 new entries 

Data Base Updated 

CA verifying: www.mydomain.com.crt <-> CA cert 
www.mydomain.com.crt: OK 





This signs the CSR and results in a www.mydomain.com.crt file. Move this file to its 
appropriate directory. 


e To move the cRT file to its appropriate directory, use the following command: 
[root@deep ssl]# mv www.mydomain.com.crt certs/ 


Now you have two files: www.mydomain.com.key and www.mydomain.com.crt. These can 
now, for example, be used as follows, inside the virtual host section of your Apache server's 
httpd.conf file: 


SSLCertificateFile /usr/share/ssl/certs/www.mydomain.com.crt 
SSLCertificateKeyFile /usr/share/ssl/private/www.mydomain.com.key 
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In this example, www.mydomain.com.crt is our Web server Certificate Signing Request Public 
Key, and www.mydomain.com.key is our Web server RSA Private Key. 


The www.mydomain.com.csr file is no longer needed, we can remove it safety from the 
system. 


e Toremove this file from the system, use the following command: 
[root@deep ssl]# rm -£ www.mydomain.com.csr 








WARNING: If you receive error message during signature of the certificate, it’s probably because 
you've entered the wrong FQDN (Fully Qualified Domain Name) for the server when OpenSSL 
prompted you for the “CommonName’”; the “CommonName” must be something like 
www.mydomain.comand not mydomain.com. Also, since you generate both the certificate and 
the CA certificate, it’s important that at least one piece of information differs between both files, or 
you may encounter problems during the signature of the certificate request. 





Securing OpenSSL 

This small section deals especially with actions we can make to improve and tighten security 
under OpenSSL. It is important to note that we refer to the features available within the base 
installed program and not to any additional software. 


Changing the default mode of OpenSSL keys 
Make your keys “Read and Write” only by the super-user “root”. This is important because no one 
needs to touch these files. 


e To make your keys “read and Write” only by “root”, use the following commands: 
[root@deep /]# chmod 750 /usr/share/ssl/private/ 
[root@deep /]# chmod 400 /usr/share/ssl/certs/ca.crt 

[root @deep 

[ 

[ 


] 
/]# chmod 400 /usr/share/ssl/certs/www.mydomain.com.crt 
root@deep /]# chmod 400 /usr/share/ssl1/private/ca.key 
root@deep /]# chmod 400 /usr/share/ssl/private/www.mydomain.com.key 


Some possible uses of OpenSSL software 
OpenSSL can be used to: 


Creation of your own Certifying Authority Server. 

Creation of RSA, DH and DSA key parameters. 

Creation of X.509 certificates, CSRs and CRLS. 

Calculation of Message Digest. 

Encryption and Descryptiion with Ciphers. 

SSL/TLS Client and Server Tests. 

Handling of S/MIME signed or encrypted mail. 

Provide data confidentiality, integrity, authentication, and electronic signature in 
transmission for the users. 

Secure electronic commerce transactions. 





CON OOO Con 


© 
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List of installed OpensSL files in your system 


> /usr/bin/openssl 

> /usr/bin/c_rehash 

> /usr/include/openssl 

> /usr/include/openssl/e_os.h 

> /usr/include/openssl/e_os2.h 

> /usr/include/openss\/crypto.h 

> /usr/include/openssl/tmdiff.h 

> /usr/include/openssl/opensslv.h 
> /usr/include/openssl/opensslconf.h 
> /usr/include/openssl/ebcdic.h 

> /ust/include/openssl/symhacks.h 
> /usr/include/openssl/md2.h 

> /usr/include/openssl/md4.h 

> /usr/include/openssl/md5.h 

> /usr/include/openssl/sha.h 

> /usr/include/openssl/mdc2.h 

> /usr/include/openssl/hmac.h 

> /usr/include/openssl/ripemd.h 

> /usr/include/openssl/des.h 

> /usr/include/openssl/rc2.h 

> /usr/include/openssl/rc4.h 

> /usr/include/openss\l/rc5.h 

> /usr/include/openssl/idea.h 

> /usr/include/openssl/blowfish.h 
> /usr/include/openssl/cast.h 

> /usr/include/openssl/bn.h 

> /usr/include/openssl/rsa.h 

> /usr/include/openssl/dsa.h 

> /usr/include/openssl/dh.h 

> /usr/include/openssl/dso.h 

> /usr/include/openssl/buffer.h 

> /usr/include/openssl/bio.h 

> /usr/include/openssl/stack.h 

> /usr/include/openssl/safestack.h 
> /usr/include/openssl/Ihash.h 

> /usr/include/openss\/rand.h 

> /usr/include/openssl/err.h 

> /usr/include/openssl/objects.h 
> /usr/include/openssl/obj_mac.h 
> /usr/include/openssl/evp.h 

> /usr/include/openssl/asn1.h 

> /usr/include/openssl/asn1_mac.h 
> /usr/include/openssl/pem.h 

> /usr/include/openssl/pem2.h 

> /usr/include/openssl/x509.h 

> /usr/include/openssl/x509_vfy.h 
> /usr/include/openss|/x509v3.h 
> /usr/include/openssl/conf.h 

> /usr/include/openssl/conf_api.h 
> /usr/include/openssl/txt_db.h 

> /ust/include/openssl/pkcs7.h 

> /ust/include/openssl/pkcs12.h 
> /usr/include/openssl/comp.h 

> /usr/include/openss\/ssl.h 

> /usr/include/openss\l/ssl2.h 

> /usr/include/openssl/ssl3.h 

> /usr/include/openss\l/ssl23.h 

> /usr/include/openssl/tls1 .h 

> /usr/lib/lipcrypto.a 

> /usr/lib/libssl.a 

> /ust/share/man/man1/ca.1 

> /ust/share/man/man1/asn1 parse. 1 
> /usr/share/man/man1/CA.pl.1 

> /ust/share/man/man1/ciphers.1 
> /ust/share/man/man1/cri2pkcs7.1 
> /ust/share/man/man1/crl.1 

> /ust/share/man/man1/dgst.1 


> /usr/share/man/man3/BN_mod_mul_montgomery.3 
> /ust/share/man/man3/BN_mod_mul_reciprocal.3 
> /ust/share/man/man3/BN_new.3 

> /usr/share/man/man3/BN_num_bytes.3 

> /ust/share/man/man3/BN_rand.3 

> /usr/share/man/man3/BN_set_bit.3 

> /usr/share/man/man3/BN_zero.3 

> /ust/share/man/man3/buffer.3 

> /usr/share/man/man3/crypto.3 

> /usr/share/man/man3/CRYPTO_set_ex_data.3 

> /usr/share/man/man3/d2i_DHparams.3 

> /usr/share/man/man3/d2i_RSAPublicKey.3 

> /usr/share/man/man3/des.3 

> /usr/share/man/man3/DH_generate_key.3 

> /ust/share/man/man3/DH_generate_parameters.3 
> /usr/share/man/man3/DH_get_ex_new_index.3 

> /ust/share/man/man3/DH_new.3 

> /usr/share/man/man3/dh.3 

> /usr/share/man/man3/DH_set_method.3 

> /usr/share/man/man3/DH_size.3 

> /ust/share/man/man3/DSA_do_sign.3 

> /ust/share/man/man3/DSA_dup_DH.3 

> /usr/share/man/man3/DSA_generate_key.3 

> /ust/share/man/man3/DSA_generate_parameters.3 
> /usr/share/man/man3/DSA_get_ex_new_index.3 
> /ust/share/man/man3/DSA_new.3 

> /usr/share/man/man3/dsa.3 

> /usr/share/man/man3/DSA_set_method.3 

> /usr/share/man/man3/DSA_SIG_new.3 

> /usr/share/man/man3/DSA_sign.3 

> /ust/share/man/man3/DSA_size.3 

> /usr/share/man/man3/err.3 

> /usr/share/man/man3/ERR_clear_error.3 

> /usr/share/man/man3/ERR_error_string.3 

> /usr/share/man/man3/ERR_get_error.3 

> /ust/share/man/man3/ERR_GET_LIB.3 

> /usr/share/man/man3/ERR_load_crypto_strings.3 
> /usr/share/man/man3/ERR_load_strings.3 

> /usr/share/man/man3/ERR_print_errors.3 

> /usr/share/man/man3/ERR_put_error.3 

> /usr/share/man/man3/ERR_remove_state.3 

> /usr/share/man/man3/EVP_Digestlnit.3 

> /usr/share/man/man3/EVP_Encryptlnit.3 

> /usr/share/man/man3/EVP_OpenInit.3 

> /usr/share/man/man3/evp.3 

> /ust/share/man/man3/EVP_Seallnit.3 

> /usr/share/man/man3/EVP_SignInit.3 

> /usr/share/man/man3/EVP_Verifylnit.3 

> /usr/share/man/man3/hmac.3 

> /ust/share/man/man3/lhash.3 

> /usr/share/man/man3/lh_stats.3 

> /usr/share/man/man3/md5.3 

> /ust/share/man/man3/mdc2.3 

> /ust/share/man/man3/OpenSSL_add_all_algorithms.3 
> /ust/share/man/man3/OPENSSL_VERSION_NUMBER.3 
> /ust/share/man/man3/RAND_add.3 

> /usr/share/man/man3/RAND_bytes.3 

> /usr/share/man/man3/RAND_cleanup.3 

> /usr/share/man/man3/RAND_egd.3 

> /ust/share/man/man3/RAND_load_file.3 

> /usr/share/man/man3/rand.3 

> /ust/share/man/man3/RAND_set_rand_method.3 
> /usr/share/man/man3/rc4.3 

> /usr/share/man/man3/ripemd.3 

> /usr/share/man/man3/RSA_blinding_on.3 

> /ust/share/man/man3/RSA_check_key.3 

> /usr/share/man/man3/RSA_generate_key.3 
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> /usr/share/man/man1/dhparam. 1 

> /ust/share/man/man1/dsaparam. 1 

> /usr/share/man/man1/dsa.1 

> /usr/share/man/mant1/enc.1 

> /ust/share/man/man1/gendsa. 1 

> /ust/share/man/man1/genrsa.1 

> /ust/share/man/man1/nseq. 1 

> /ust/share/man/man1/openssl.1 

> /ust/share/man/man1/passwd. 1 

> /ust/share/man/man1/pkcs12.1 

> /ust/share/man/man1/pkcs7.1 

> /ust/share/man/man1/pkcs8.1 

> /usr/share/man/man1/rand.1 

> /ust/share/man/man1/req. 1 

> /usr/share/man/man1/rsa.1 

> /usr/share/man/man1/rsautl.1 

> /usr/share/man/mant/s_client.1 

> /usr/share/man/man1/sess_id.1 

> /usr/share/man/man1/smime.1 

> /ust/share/man/man1/speed. 1 

> /ust/share/man/man1/spkac.1 

> /usr/share/man/man1/s_server.1 

> /usr/share/man/man1/verify.1 

> /usr/share/man/man1/version. 1 

> /usr/share/man/man1/x509. 1 

> /usr/share/man/man3/bn.3 

> /ustr/share/man/man3/BIO_ctrl.3 

> /usr/share/man/man3/BIO_f_base64.3 
> /ust/share/man/man3/BIO_f_buffer.3 

> /ustr/share/man/man3/BIO_f_cipher.3 

> /usr/share/man/man3/BlO_find_type.3 
> /ust/share/man/man3/BIO_f_md.3 

> /ust/share/man/man3/BIO_f_null.3 

> /ustr/share/man/man3/BIO_f_ssl.3 

> /ustr/share/man/man3/BIO_new_bio_pair.3 
> /usr/share/man/man3/BIO_new.3 

> /ust/share/man/man3/bio.3 

> /usr/share/man/man3/BIO_push.3 

> /ustr/share/man/man3/BIO_read.3 

> /ust/share/man/man3/BIO_s_accept.3 
> /ust/share/man/man3/BIO_s_bio.3 

> /usr/share/man/man3/BIO_s_connect.3 
> /usr/share/man/man3/BIO_set_callback.3 
> /usr/share/man/man3/BIO_s_fd.3 

> /usr/share/man/man3/BIO_s_file.3 

> /ust/share/man/man3/BIO_should_retry.3 
> /usr/share/man/man3/BN_add.3 

> /usr/share/man/man3/BIO_s_mem.3 

> /ust/share/man/man3/BIO_s_null.3 

> /usr/share/man/man3/BIO_s_socket.3 
> /ustr/share/man/man3/blowfish.3 

> /usr/share/man/man3/BN_add_word.3 
> /usr/share/man/man3/BN_bn2bin.3 

> /ust/share/man/man3/BN_cmp.3 

> /ust/share/man/man3/BN_copy.3 

> /ustr/share/man/man3/BN_CTX_new.3 
> /usr/share/man/man3/BN_CTX_start.3 
> /usr/share/man/man3/BN_generate_prime.3 
> /usr/share/man/man3/bn_internal.3 

> /ust/share/man/man3/BN_mod_inverse.3 
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> /usr/share/man/man3/RSA_get_ex_new_index.3 
> /ust/share/man/man3/RSA_new.3 

> /usr/share/man/man3/RSA_padding_add_PKCS1_type_1.3 
> /ust/share/man/man3/rsa.3 

> /usr/share/man/man3/RSA_print.3 

> /usr/share/man/man3/RSA_private_encrypt.3 

> /ust/share/man/man3/RSA_public_encrypt.3 

> /usr/share/man/man3/RSA_set_method.3 

> /usr/share/man/man3/RSA_sign_ASN1_OCTET_STRING.3 
> /usr/share/man/man3/RSA_sign.3 

> /ust/share/man/man3/RSA_size.3 

> /usr/share/man/man3/sha.3 

> /ust/share/man/man3/threads.3 

> /ustr/share/man/man3/SSL_accept.3 

> /ust/share/man/man3/SSL_CIPHER_get_name.3 
> /usr/share/man/man3/SSL_clear.3 

> /usr/share/man/man3/SSL_connect.3 

> /usr/share/man/man3/SSL_CTX_free.3 

> /usr/share/man/man3/SSL_CTX_new.3 

> /ust/share/man/man3/SSL_CTX_set_cipher_list.3 
> /ust/share/man/man3/SSL_CTX_set_ssl_version.3 
> /usr/share/man/man3/SSL_free.3 

> /usr/share/man/man3/SSL_get_ciphers.3 

> /ust/share/man/man3/SSL_get_current_cipher.3 
> /ust/share/man/man3/SSL_get_error.3 

> /usr/share/man/man3/SSL_get_fd.3 

> /ust/share/man/man3/SSL_get_peer_cert_chain.3 
> /ust/share/man/man3/SSL_get_peer_certificate.3 
> /ust/share/man/man3/SSL_get_rbio.3 

> /usr/share/man/man3/SSL_get_session.3 

> /ust/share/man/man3/SSL_get_verify_result.3 

> /ust/share/man/man3/SSL_library_init.3 

> /usr/share/man/man3/SSL_new.3 

> /usr/share/man/man3/SSL_pending.3 

> /ust/share/man/man3/ssl.3 

> /usr/share/man/man3/SSL_read.3 

> /ust/share/man/man3/SSL_SESSION_free.3 

> /usr/share/man/man3/SSL_set_bio.3 

> /usr/share/man/man3/SSL_set_fd.3 

> /usr/share/man/man3/SSL_set_session.3 

> /usr/share/man/man3/SSL_set_verify_result.3 

> /ust/share/man/man3/SSL_shutdown.3 

> /ust/share/man/man3/SSL_write.3 

> /usr/share/man/man5/config.5 

> /usr/share/man/man7/des_modes.7 

> /usr/share/ssl 

> /usr/share/ssl/misc 

> /ust/share/ssl/misc/CA.sh 

> /usr/share/ssl/misc/CA.pl 

> /usr/share/ssl/misc/sign.sh 

> /usr/share/ssl/misc/der_chop 

> /usr/share/ssl/misc/c_hash 

> /usr/share/ssl/misc/c_info 

> /usr/share/ssl/misc/c_issuer 

> /usr/share/ssl/misc/c_name 

> /usr/share/ssl/certs 

> /usr/share/ssl/private 

> /usr/share/ssl/lib 

> /ust/share/ssl/openssl.cnf 

> /usr/share/ssl/crl 
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12 Cryptography & Authentication - OpenSSH 
In this Chapter 


Compiling - Optimizing & Installing OpenssH 
Configuring OpenssH 

OpenSSH Per-User Configuration 

OpenSSH Users Tools 


286 


OpenSSH] 1 
CHAPTER | 2 


Linux OpenSSH 


Abstract 

As illustrated in the chapter related to Linux installation, many network services including, but not 
limited to, telnet, rsh, rlogin, or rexec are vulnerable to electronic eavesdropping. As a 
consequence, anyone who has access to any machine connected to the network can listen in on 
network communication and get your password, as well as any other private information that is 
sent over the network in plain text. 


Currently the Telnet program is indispensable for daily administration tasks, but it is insecure 
since it transmits your password in plain text over the network and allows any listener to capture 
your password and then use your account to do anything he likes. To solve this problem we must 
find either another way, or another program, to replace it. Fortunately OpenSSH is a truly 
seamless and secure replacement of old, insecure and obsolete remote login programs such as 
telnet, rlogin, rsh, rdist, Of rcp. 














According to the official [OpenSSH README] file: 

SSH (Secure Shell) is a program to log into another computer over a network, to execute 
commands on a remote machine, and to move files from one machine to another. It provides 
strong authentication and secure communications over insecure channels. It is intended as a 
replacement for rlogin, rsh, rcp, and rdist. 


These installation instructions assume 

Commands are Unix-compatible. 

The source path is /var/tmp (note that other paths are possible, as personal discretion). 
Installations were tested on Red Hat 7.1. 

All steps in the installation will happen using the super-user account “root”. 

Whether kernel recompilation may be required: No 

Latest OpenSSH version number is 2. 9p1 


Packages 
The following are based on information as listed by OpenSSH as of 2001/05/01. Please regularly 
check at www.openssh.com for the latest status. 


Pristine source code is available from: 

OpenSSH Homepage: http://www.openssh.com/ 

OpenSSH FTP Site: 129.128.5.191 

You must be sure to download: openssh-2.9pl.tar.gz 








NOTE: Don't forget to download the portable version (the p suffix) of OpenSSH tarball for Linux. 
There is strictly OpenBSD-based development of this software and another one known as 
portable version, which run on many operating systems (these are known as the p releases, and 
named like "OpenSSH 2.9p1"). 
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Prerequisites 

OpenSSH requires that the listed software below be already installed on your system to be able to 
compile successfully. If this is not the case, you must install it from your Linux CD-ROM or source 
archive files. Please make sure you have this program installed on your machine before you 
proceed with this chapter. 


¥ OpenSSL, which enables support for SSL functionality, must already be installed on your 
system to be able to use the OpenSSH software. 








NOTE: For more information on OpenSSL software, see its related chapter in this book. Even if 
you don’t need to use OpenSSL software to create or hold encrypted key files, it’s important to 
note that OpenSSH program require its libraries files to be able to work properly on your system. 





Pristine source 

If you don’t use the RPM package to install this program, it will be difficult for you to locate all 
installed files onto the system when the program is updated in the future. To solve the problem, it 
is a good idea to make a list of files on the system before you install OpenSSH, and one 
afterwards, and then compare them using the Linux diff utility to find out what files have been 
placed where. 


e Simply run the following command before installing the software: 
root@deep /root find /* > OpenSSH1 


e And the following one after you install the software: 
root@deep /root find /* > OpenSSH2 


e Then use the following command to get a list of what changed: 
root@deep /root diff OpenSSH1 OpenSSH2 > OpenSSH-Installed 

















With this procedure, if any upgrade appears, all you have to do is to read the generated list of 
what files were changed program and remove the files manually from your system before 
installing the new software. Related to our example above, we use the /root directory of the 
system to stock all generated list files. 


Compiling - Optimizing & Installing OpenssH 

Below are the required steps that you must make to configure, compile and optimize the 
OpenSSH software before installing it into your Linux system. First off, we install the program as 
user ‘root’ so as to avoid authorization problems. 


Step 1 
Once you get the program from the main software site the main software site you must copy it to 
the /var/tmp directory and change to this location before expanding the archive. 


e These procedures can be accomplished with the following commands: 
[root@deep /]# cp openssh-version.tar.gz /var/tmp/ 
[root@deep /]# cd /var/tmp/ 

[root@deep tmp]# tar xzpf openssh-version.tar.gz 
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Step 2 
After that, move into the newly created OpenSSH directory then configure and optimize it. 


e Tomove into the newly created OpenSSH directory use the following command: 
[root@deep tmp]# cd openssh-2.9p1/ 


e Toconfigure and optimize OpenSSH use the following compile lines: 
CFLAGS="-03 -march=i686 -mcpu=i686 -funroll-loops -fomit-frame-pointer” \ 
./configure \ 

--prefix=/usr \ 
--sysconfdir=/etc/ssh \ 
--libexecdir=/usr/libexec/openssh \ 
--mandir=/usr/share/man \ 
--with-pam \ 

--with-ipaddr-display \ 
--with-ipv4-default \ 
--with-md5-passwords 


This tells OpenSSH to set itself up for this particular configuration with: 


- Enabled PAM support. 

- Use the ip address instead of the hostname in SDISPLAY. 
- Use IPv4 by connections unless '-6' specified. 

- Enable use of MD5 passwords. 








NOTE: Pay special attention to the compile CFLAGS line above. We optimize OpenSSH for an i686 
CPU architecture with the parameter “-march=i686 and -mcpu=i686”. Please don’t forget to 
adjust this CFLAGS line to reflect your own system and architecture. 





Step 3 

Now, we must make a list of files on the system before you install the software, and one 
afterwards, then compare them using the diff utility to find out what files are placed where and 
finally install OpenSSH in the server: 


root@deep openssh-2.9p1]# make 

root@deep openssh-2.9p1]# ed 

root@deep /root]# find /* > OpenSSH1 

root@deep /root]# cd /var/tmp/openssh-2.9p1/ 

root@deep openssh-2.9p1]# make install 

root@deep openssh-2.9p1]# cd 

root@deep /root]# find /* > OpenSSH2 

root@deep /root]# diff OpenSSH1 OpenSSH2 > OpenSSH-Installed 





The above commands will configure the software to ensure your system has the necessary 
libraries to successfully compile the package, compile all source files into executable binaries, 
and then install the binaries and any supporting files into the appropriate locations. 
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Step 4 

Once compilation, optimization and installation of the software have been finished, we can free up 
some disk space by deleting the program tar archive and the related source directory 
neededsince they are no longer needed. 


e Todelete OpenssH and its related source directory, use the following commands: 
[root@deep /]# cd /var/tmp/ 
[root@deep tmp]# rm -rf openssh-version/ 
[root@deep tmp]# rm -f openssh-version.tar.gz 


The rm command as used above will remove all the source files we have used to compile and 
install OpenSSH. It will also remove the OpenSSH compressed archive from the /var/tmp 
directory. 


Configuring OpenSSH 


After building OpenSSH, your next step is to verify or change, if necessary, options in your 
OpenSSH configuration files. Those files are: 


/etc/ssh/ssh_config (The OpenSSH Client Configuration File) 
/etc/ssh/sshd_config (The OpenssH Server Configuration File) 
/etc/pam.d/sshd (The OpenSSH PAM Support Configuration File) 
/etc/re.d/init.d/sshd (The OpenSSH Initialization File) 


ANNA 


/etc/ssh/ssh_config: The OpenSSH Client Configuration File 
The ssh_config file is the system-wide configuration file for OpenSSH which allows you to set 


options that modify the operation of the client programs. The file contains keyword-value pairs, 
one per line, with keywords being case insensitive. 


Here are the most important keywords to configure your ssh client for maximum security; a 
complete listing and/or special requirements are available in the manual page for ssh (1).We 
must change the default one to fit our requirements and operating system. The text in bold are 
the parts of the configuration file that must be customized and adjusted to satisfy your needs. 


e Edit the ssh_config file (vi /etc/ssh/ssh_config) and set your needs. Below is 
what we recommend you: 


# Site-wide defaults for various options 


Host * 
ForwardAgent no 
ForwardxX11 no 
RhostsAuthentication no 
RhostsRSAAuthentication no 
RSAAuthentication yes 
PasswordAuthentication no 
FallBackToRsh no 
UseRsh no 
BatchMode no 
CheckHostIP yes 
StrictHostKeyChecking yes 
IdentityFile ~/.ssh/identity 
IdentityFile ~/.ssh/id_dsa 
IdentityFile ~/.ssh/id_rsa 
Port 22 
Protocol 2,1 
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Cipher blowfish 
EscapeChar ~ 


This tells ssh_config file to set itself up for this particular configuration with: 


Host * 

This option “Host” restricts all forwarded declarations and options in the configuration file to be 
only for those hosts that match one of the patterns given after the keyword. The pattern * mean 
for all hosts up to the next Host keyword. With this option you can set different declarations for 
different hosts in the same ssh_config file. In particular, | find it useful when you want to 
automate backup over the network with SSH and don’t want to supplies the user password. In this 
way we can build a new section reserved to this meaning and disable function that ask for 
password for the specified host in question. 


ForwardAgent no 
This option “ForwardAgent” specifies which connection authentication agent (if any) should be 
forwarded to the remote machine. 


ForwardX1l1 no 

This option “Forwardx11” is for people that use the Xwindow GUI and want to automatically 
redirect X11 sessions to the remote machine. Since we setup a server and don’t have GUI 
installed on it, we can safely turn this option off. 


RhostsAuthentication no 
This option “RhostsAuthentication” specifies whether we can try to use rhosts based 
authentication. Because rhosts authentication is insecure you shouldn't use this option. 


RhostsRSAAuthentication no 
This option “Rhost sRSAAuthentication” specifies whether or not to try rhosts 
authentication in concert with RSA host authentication. Evidently our answer is no. 


RSAAuthentication yes 

This option “RSAAuthentication” specifies whether to try RSA authentication. It is important to 
note that it is reserved for the SSH1 protocol only. This option must be set to yes for better 
security in your sessions if you use SSH1 and only SSH1 since it doesn’t applies for SSH2 protocol 
(SSH2 use DSA instead of RSA). RSA use public and private key pairs created with the ssh- 
keygen utility for authentication purposes. 


PasswordAuthentication no 

This option “PasswordAuthentication” specifies whether we should use password-based 
authentication. For strong security, this option must always be set to no. You should put 
‘PasswordAuthentication no’ inthe sshd_config file, otherwise people might try to guess 
the password for the user. With ‘PasswordAuthentication no’, your public key must be on 
the computer or no login is allowed: that's what we want. Take a note that with the Windows client 
program called “putty” you cannot set this option to no or you will not be able to log in the 
server using putty. 


FallBackToRsh no 

This option “FallBackToRsh” specifies that if a connection with ssh daemon fails rsh should 
automatically be used instead. Recalling that rsh service is insecure, this option must always be 
set to no. 


UseRsh no 


291 


OpenSSH] 1 
CHAPTER] 2 


This option “UseRsh” specifies that rlogin/rsh services should be used on this host. As with 
the FallBackToRsh option, it must be set to no for obvious reasons. 


BatchMode no 

This option “Bat chMode” specifies whether a username and password querying on connect will 
be disabled. This option is useful when you create scripts and don’t want to supply the password. 
(e.g. Scripts that use the scp command to make backups over the network). 


CheckHostIP yes 

This option “CheckHost IP” specifies whether or not ssh will additionally check the host IP 
address that connect to the server to detect DNS spoofing. It’s recommended that you set this 
option to yes but in the other side you can lose some performance. 


StrictHostKeyChecking yes 

This option “St rictHostKeyChecking” specifies whether or not ssh will automatically add new 
host keys to the $HOME/.ssh/known_hosts file, or never automatically add new host keys to 
the host file. This option, when set to yes, provides maximum protection against Trojan horse 
attacks. One interesting procedure with this option is to set it to no at the beginning, allow ssh to 
add automatically all common hosts to the host file as they are connected to, and then return to 
set it to yes to take advantage of its feature. 





IdentityFile ~/.ssh/identity 

IdentityFile ~/.ssh/id_dsa 

IdentityFile ~/.ssh/id_rsa 

These options specify alternate multiple authentication identity files to read. 





Port 22 
This option “Port” specifies on which port number ssh connects to on the remote host. The 
default port is 22. 


Protocol 2,1 

This option “Protocol” specifies the protocol versions ssh should support in order of 
preference. In our configuration the default is “2, 1”. This means that ssh tries version 2 and falls 
back to version 1 if version 2 is not available. Depending of the ssh client version you use to 
connect, you may need to invert this order but you can connect with ssh client version 1 even if 
the order is “2, 1”. 


Cipher blowfish 
This option “Cipher” specifies what cipher should be used for encrypting sessions. The 
blowfish use 64-bit blocks and keys of up to 448 bits. 





EscapeChar ~ 
This option “EscapeChar’” specifies the session escape character for suspension. 
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/etc/ssh/sshd_config: The OpenSSH Server Configuration File 

The sshd_config file is the system-wide configuration file for OpenSSH which allows you to set 
options that modify the operation of the daemon. This file contains keyword-value pairs, one per 
line, with keywords being case insensitive. 


Here are the most important keywords to configure your sshd server for maximum security; a 
complete listing and/or special requirements are available in the manual page for sshd (8). We 
must change the default one to fit our requirements and operating system. The text in bold are 
the parts of the configuration file that must be customized and adjusted to satisfy our needs. 


e Edit the sshd_config file (vi /etc/ssh/sshd_config) and set your needs. Below 
is what we recommend you: 


# This is ssh server systemwide configuration file. 





Port 22 

ListenAddress 207.35.78.3 

HostKey /etc/ssh/ssh_host_key 
HostKey /etc/ssh/ssh_host_dsa_key 
HostKey /etc/ssh/ssh_host_rsa_key 
ServerKeyBits 768 

LoginGraceTime 60 
KeyRegenerationInterval 3600 
PermitRootLogin no 

IgnoreRhosts yes 
IgnoreUserKnownHosts yes 
StrictModes yes 

X11Forwarding no 

PrintMotd yes 

KeepAlive yes 

SyslogFacility AUTH 

LogLevel INFO 
RhostsAuthentication no 
RhostsRSAAuthentication no 
RSAAuthentication yes 
PasswordAuthentication no 
PermitEmptyPasswords no 
AllowUsers gmourani 
PAMAuthenticationViakbdInst yes 
Subsystem sftp /usr/libexec/openssh/sftp-server 


This tells sshd_config file to set itself up for this particular configuration with: 


Port 22 
The option “Port” specifies on which port number ssh daemon listens for incoming connections. 
The default port is 22. 


ListenAddress 207.35.78.3 

The option “ListenAddress” specifies the IP address of the interface network on which the ssh 
daemon server socket is bound. The default is “0.0.0.0”; to improve security you may specify 
only the required ones to limit possible addresses. 


HostKey /etc/ssh/ssh_host_key 

HostKey /etc/ssh/ssh_host_dsa_key 

HostKey /etc/ssh/ssh_host_rsa_key 

These options specify the location containing the different private host keys. If you have compiled 
OpenSSH as described in this book, then the default ones is correct. 
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ServerKeyBits 768 
The option “ServerKeyBits” specifies how many bits to use in the server key. These bits are 
used when the daemon starts to generate its RSA key. 


LoginGraceTime 60 

The option “LoginGraceTime” specifies how long in seconds after a connection request the 
server will wait before disconnecting, if the user has not successfully logged in. A low value is 
recommended for this setting. Imagine what 1024 simulated connections at the same time can do 
to the other processes on your server. 


KeyRegenerationInterval 3600 

The option “KeyRegenerationInterval” specifies how long in seconds the server should wait 
before automatically regenerated its key. This is a security feature to prevent decrypting captured 
sessions. 


PermitRootLogin no 

The option “Permit RootLogin” specifies whether root can log in using ssh. Never say yes to 
this option. It is better and safer to log in with a regular UID and then su to root, or better yet, use 
the sudo program. 


IgnoreRhosts yes 

The option “IgnoreRhosts” specifies whether the rhosts or shosts files should not be used 
in authentication. For security reasons it is recommended to NOT use rhosts or shosts files for 
authentication. 


IgnoreUserKnownHosts yes 

The option “IgnoreUserKnownHosts” specifies whether the ssh daemon should ignore the 
user's SHOME/.ssh/known_hosts file during RnhostsRSAAuthentication. Since we don’t 
allow .rhosts files in our server, it is safe to say yes here. 





StrictModes yes 

The option “St rictModes” specifies whether ssh should check user's permissions in their home 
directory and rhosts files before accepting login. This option must always be set to yes 
because sometimes users may accidentally leave their directory or files world-writable. 


X11lForwarding no 
The option “X11Forwarding” specifies whether X11 forwarding should be enabled or not on this 
server. Since we setup a server without GUI installed on it, we can safely turn this option off. 


PrintMotd yes 

The option “PrintMotd” specifies whether the ssh daemon should print the contents of the 
/etc/motd file when a user logs in interactively. The /etc/motd file is also known as “the 
message of the day”. 


SyslogFacility AUTH 
The option “SyslogFacility” specifies the facility code used when logging messages from 
sshd. The facility specifies the subsystem that produced the message--in our case, AUTH. 


LoghLevel INFO 
The option “LogLevel” specifies the level that is used when logging messages from sshd. INFO 
is a good choice. See the manual page for sshd for more information on other possibilities. 


RhostsAuthentication no 
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The option “RhostsAuthentication” specifies whether sshd can try to use rhosts based 
authentication. Because rhosts authentication is insecure you shouldn't use this option. 


RhostsRSAAuthentication no 
The option “Rhost sRSAAuthentication” specifies whether to try rhosts authentication in 
concert with RSA host authentication. 


RSAAuthentication yes 

The option “RSAAuthent ication” specifies whether to try RSA authentication. It is important to 
note that it is reserved for the SSH1 protocol only. This option must be set to yes for enhanced 
security in your sessions if you use SSH1 and only SSH1 since it doesn’t apply for the SSH2 
protocol (SSH2 use DSA instead of RSA). RSA uses public and private key pairs created with the 
ssh-keygen utility for authentication purposes. 


PasswordAuthentication no 

The option “PasswordAuthentication” specifies whether we should use password-based 
authentication. For strong security, this option must always be set to no. You should put 
‘PasswordAuthentication no’ inthe sshd_config file, otherwise people might try to guess 
the password for the user. With ‘PasswordAuthentication no’, your public key must be on 
the computer or no login is allowed: that's what we want. Note that with the Windows client 
program called “putty” you cannot set this option to no or you will not be able to log into the 
server using putty. 








PermitEmptyPasswords no 

This option “PermitEmptyPasswords’ is closely related with the above option 
“PasswordAuthentication” and specifies whether, if password authentication is allowed, the 
server should allows logging in to accounts with a null password. Since we do not allow password 
authentication in the server, we can safety turn off this option. 





AllowUsers admin 
This option “AllowUsers” specifies and controls which users can access ssh services. Multiple 
users can be specified, separated by spaces. 


/etc/pam.d/sshd: The OpenSSH PAM Support Configuration File 
For better security of OpenSSH, we'll configure it to use PAM password authentication support. To 
do that, you must create the /etc/pam.d/sshd file and add the following parameters inside it. 


e Create the sshd file (touch /etc/pam.d/sshd) and add the following lines: 




















#SPAM-1.0 

auth required /lib/security/pam_stack.so service=system-auth 
auth required /lib/security/pam_nologin.so 

account required /lib/security/pam_stack.so service=system-auth 
account required /lib/security/pam_access.so 

account required /lib/security/pam_time.so 

password required /lib/security/pam_stack.so service=system-auth 
session required /lib/security/pam_stack.so service=system-auth 
session required /lib/security/pam_limits.so 

session optional /lib/security/pam_console.so 
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init .d/sshd: The Openssh Initialization File 


The /etc/rce.d/init.d/sshd script file is responsible for automatically starting and stopping 
the OpenSSH daemon on your server. Loading the sshd daemon, as a standalone daemon, will 
eliminate load time and will even reduce swapping since non-library code will be shared. This is 
the best way to start sshd daemon on the system, never use programs like Xinetd or inet to 


start it. 


Step 1 


Create the sshd script file (touch /etc/rce.d/init.d/sshd) and add the following lines 


inside it: 


!/bin/bash 


description 


processname 











Init file for OpenSSH server daemon 


chkconfig: 2345 55 25 





: OpenSSH server daemon 


: sshd 


config: /etc/ssh/ssh_host_key 
config: /etc/ssh/ssh_host_key.pub 
config: /etc/ssh/ssh_random_seed 
config: /etc/ssh/sshd_config 
pidfile: /var/run/sshd.pid 


source function library 


/etc/rc.d/init.d/functions 


RETVAL=0 





function start () 


{ 
if [ 


fi 
ah A 


fi 


! -s /etc/ssh/ssh_host_key ]; then 
/usr/bin/ssh-keygen -b 1024 -f£ /etc/ssh/ssh_host_key -N "" 


! -s /etc/ssh/ssh_host_dsa_key ]; then 
/usr/bin/ssh-keygen -d -f /etc/ssh/ssh_host_dsa_key -N "" 





action "Starting sshd:" /usr/sbin/sshd 


RETVA 





=$? 





[of SRI 
} 


function stop 


{ 





ETVAL" = 0 ] && touch /var/lock/subsys/sshd 


Q) 


echo -n "Stopping sshd:" 
killproc /usr/sbin/sshd 











RETVAL=$ ? 
echo 
[ "SRETVAL" = 0 ] && rm -f£ /var/lock/subsys/sshd 


case "S1" in 
start) 


start 

a 
stop) 

stop 

a 
restart) 
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stop 
start 
tr 
reload) 
killproc /usr/sbin/sshd -HUP 


condrestart) 


if [ -f£ /var/lock/subsys/sshd ] ; then 
stop 
start 
fi 
a 
status) 


status /usr/sbin/sshd 

*) 
echo "Usage: sshd {start|stop|restart|reload|condrestart|status}" 
RETVAL=1 








exit SRETVAL 


Step 2 

Once the openssh script file has been created, it is important to make it executable, change its 

default permissions, create the necessary links and start it. Making this file executable will allow 
the system to run it, changing its default permission to allow only the root user to change this file 
for security reasons, and creation of the symbolic links will let the process control initialization of 
Linux, which is in charge of starting all the normal and authorized processes that need to run at 

boot time on your system, to start the program automatically for you at each boot. 


e To make this script executable and to change its default permissions, use the command: 
root@deep / chmod 700 /etc/re.d/init.d/sshd 
root@deep / chown 0.0 /etc/re.d/init.d/sshd 


e Tocreate the symbolic rc.d links for OpenssuH, use the following command: 
root@deep / chkconfig --add sshd 
root@deep / chkconfig --level 2345 sshd on 


e Tostart OpenSSH software manually, use the following command: 
root@deep / /etc/re.d/init.d/sshd start 
Starting sshd: [OK] 




















NOTE: All the configuration files required for each software described in this book has been 
provided by us as a gzipped file, floppy-—2.0.tgz for your convenience. This can be 
downloaded from this web address: ftp://ftp.openna.com/ConfigFiles-v2.0/floppy-2.0.tgz. You can 
unpack this to any location on your local machine, say for example /var/tmp, assuming you 
have done this your directory structure will be /var/tmp/floppy-2.0. Within this floppy 
directory each configuration file has its own directory for respective software. You can either cut 
and paste this directly if you are faithfully following our instructions from the beginning or 
manually edit these to modify to your needs. This facility is there though as a convenience but 
please don't forget ultimately it will be your responsibility to check, verify, etc. before you use 
them whether modified or as it is. 
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Further documentation 
For more details, there are several manual pages about OpenSSH that you can read: 


$ man ssh (1) - OpenSSH secure shell client (remote login program) 
$ man ssh [slogin] (1) - OpenSSH secure shell client (remote login program) 
$ man ssh-add (1) - Adds identities for the authentication agent 

§ man ssh-agent (1) - Authentication agent 

$ man ssh-keygen (1) - Authentication key generation 

$ man sshd (8) - Secure shell daemon 

$ sftp-server (8) - SFTP server subsystem 


OpenSSH Per-User Configuration 
After your desired configuration options have been set and sshd daemon is running, it is time to 
create new private & public keys for our users to establish the secure connection. 


Related to manual page for sshd (8): 

There are cryptosystems where encryption and decryption are done using separate keys, and it is 
not possible to derive the decryption key from the encryption key. The idea is that each user 
creates a public/private key pair for authentication purposes. The server knows the public key, 
and only the user knows the private key. 


The file SHOME/.ssh/authorized_keys2 for SSH2 or SHOME/.ssh/authorized_keys for 
SSH1 lists the public keys that are permitted for logging in. When the user logs in, the ssh 
program tells the server which key pair it would like to use for authentication. The server checks if 
this key is permitted, and if so, send the user (actually the ssh program running on behalf of the 
user) a challenge, a random number, encrypted by the user's public key. The challenge can only 
be decrypted using the proper private key. The user's client then decrypts the challenge using the 
private key, proving that he/she knows the private key but without disclosing it to the server. 








Step 1 
I’ll show you below how to create a new SSH private & public key for one user. This example 
assumes that secure encrypted connections will be made between Linux servers. 


e Tocreate your (DSA) private & public keys for SSH2 of LOCAL, use the commands: 
[root@deep /]# su gmourani 
[gmourani@deep /]$ ssh-keygen -d 
Generating DSA parameter and Key. 
Enter file in which to save the key (/home/gmourani/.ssh/id_dsa): 
Created directory '/home/gmourani/.ssh'. 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/gmourani/.ssh/id_dsa. 
Your public key has been saved in /home/gmourani/.ssh/id_dsa.pub. 
The key fingerprint is: 
lf:af:aa:22:0a:21:85:3c:07:7a:5c:ae:c2:d3:56:64 gmourani@deep 
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WARNING: The above example assumes that you want to generate (DSA) private & public keys for 
SSH protocol 2 (highly recommended). If you want to generate (RSA) private & public keys for SSH 
protocol 1, then you must remove the ‘-d’ option to the key generation command as follow: 


[root@deep /]# su gmourani 
[gmourani@deep /]$ ssh-keygen 


Removing the ‘—d’ option will generate SSH1 instead of SSH2 private & public keys. The SSH1 
private key will be named ”identity” and the public key will be “identity. pub” 





If you have multiple accounts you might want to create a separate key on each of them. You may 
want to have separate keys for: 


e Your server (1) 
e Your server (2) 
e Your server (3) 


This allows you to limit access between these servers, e.g. not allowing the first server (1) 
account to access your second server (2) account or the third server (3). This enhances the 
overall security in the case any of your authentication keys are compromised for any reason. 


Step 2 

Copy your local public key id_dsa.pub for SSH2 or identity. pub for SSH1 from the 
/home/gmourani/.ssh directory remotely under the name, say, “authorized_keys2” for 
SSH2 or “authorized_keys” for SSH1. One way to copy the file is to use the £tp command or 
you might need to send your public key in electronic mail to the administrator of the system. Just 
include the contents of the ~/.ssh/id_dsa.pub or ~/.ssh/identity. pub file in the 
message. 


To resume the required steps: 


1) The user creates his/her DSA or RSA keys pair by running ssh-keygen. This stores the 
private key in SHOME/.ssh/id_dsa (SSH2) orin SHOME/.ssh/identity (SSH1) and 
the public key in SHOME/.ssh/id_dsa.pub (SSH2) or in 
SHOME/.ssh/identity.pub (SSH1) into the user's home directory on the LOCAL 
machine. 














2) The user should then copy the id_dsa. pub key (SSH2) or identity.pub key (SSH1) 
to SHOME/.ssh/authorized_keys2 for SSH2 or to SHOME/.ssh/authorized_keys 
for SSH1 into his/her home directory on the REMOTE machine (the authorized_keys2 
or authorized_keys files corresponds to the conventional $HOME/.rhosts file, and 
has one key per line, though the lines can be very long). 
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| | | 

| | | 

| Server 1 | Server 2 | 

| | | 

| | | 
User: gmourani User: gmourani 
Pass-phrase: qwertyl Pass-phrase: qwerty2 
Private key: id_dsa Private key: id_dsa 
Public key: id_dsa.pub = = = -> authorized_keys2 
authorized_keys2 €- Saas Sa oe Public key: id_dsa.pub 


Public key of user gmourani on the first server (1) is sending to the second server (2) under the 
$HOME directory of user gmourani and become ‘authorized_keys2’; the same action is 
made on the second server (2). The public key of user gmourani on server (2) is sending to 
server (1) under the $HOME directory of user gnourani and become ‘authorized_keys2’. 








NOTE: OpenSSH's public key is a one-line string. Adding public keys from commercial SSH tools 
which stretch the public key over several lines will not be recognized by OpenSSH. 





Changing your pass-phrase 
You can change the pass-phrase at any time by using the —p option of ssh-keygen. 


e To change the pass-phrase, use the command: 

[root@deep /]# su gmourani 

[gmourani@deep /]$ ssh-keygen -d -p 

Enter file in which the key is (/home/gmourani/.ssh/id_dsa): 
Enter old passphrase: 

Key has comment 'dsa w/o comment' 

Enter new passphrase (empty for no passphrase): 

Enter same passphrase again: 

Your identification has been saved with the new passphrase. 





If you want to change the pass-phrase of a user running SSH1 protocol then omit the “—d” option 
in the above example. 


OpenSSH Users Tools 
The commands listed belows are some that we use regularly, but many more exist, and you 
should check the manual pages and documentation of OpenSSH for more details. 
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ssh 

The ssh (Secure Shell) command provides secure encrypted communications between two 
untrusted hosts over an insecure network. It is a program for securely logging into a remote 
machine and executing commands from there. It is a suitable replacement for insecure programs 


like telnet, rlogin, rcp, rdist, and rsh. 


e To login to a remote machine, use the command: 
[root@deep /]# ssh -1 <login_name> <hostname> 


For example: 
[root@deep /]# ssh -1 gmourani deep.openna.com 


gmourani@deep.openna.com’s password: 

Last login: Tue Oct 19 1999 18:13:00 -0400 from deep.openna.com 
No mail. 

[gmourani@deep gmourani]$ 





Where <login_name> is the name you use to connect to the ssh server and <hostname> is 
the remote address (you can use IP address here) of your ssh server. 


scp 
The scp (Secure Copy) utility copies files from the local system to a remote system or vice versa, 


or even between two remote systems using the scp command. 


e Tocopy files from remote to local system, use the following command: 


[root@deep /]# su gmourani 
[gmourani@deep /]$ sep -p <login_name@hostname>:/dir/for/file 


localdir/to/filelocation 


For example: 

[gmourani@deep /]$ scp -p gmourani@mail:/etc/test1 /tmp 

Enter passphrase for RSA key 'gmourani@mail.openna.com': 

testl | 2 KB | 2.0 kB/s | ETA: 00:00:00 | 100% 








e Tocopy files from local to remote system, use the following command: 


[root@deep /]# su gmourani 
[gmourani@deep /]$ sep -p localdir/to/filelocation 


<username@hostname>:/dir/for/file 


For example: 
[gmourani@deep /]$ scpl -p /usr/bin/test2 gmourani@mail:/var/tmp 


gmourani@mail's password: 
test2 | 7 KB | 7.9 kB/s | ETA: 00:00:00 | 100% 








WARNING: The “—p” option indicates that the modification and access times, as well as modes of 
the source file, should be preserved on the copy. This is usually desirable. Please check under 
chapter related to backup in this book for more information about other possible use of SSH 


technology with Linux. 
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Some possible uses of OpenSSH 
OpenSSH can be used to: 


Replace telnet, rlogin, rsh, rdist, and rcp programs. 
Make secure backups over the network. 

Execute remote commands. 

Access to corporate resources over the Internet. 

Transfer files remotely in a secure manner. 


Ordo 


List of installed OpenssH files in your system 


> /etc/rc.d/init.d/sshd > /usr/bin/sftp 

> /etc/ssh > /usr/bin/ssh-keyscan 

> /etc/ssh/ssh_config > /usr/bin/slogin 

> /etc/ssh/sshd_config > /usr/sbin/sshd 

> /etc/ssh/ssh_host_key > /usr/share/man/man1/ssh.1 

> /etc/ssh/ssh_host_key.pub > /ust/share/man/man1/scp.1 

> /etc/ssh/ssh_host_dsa_key > /usr/share/man/man1/sftp.1 

> /etc/ssh/ssh_host_dsa_key.pub > /ust/share/man/man1/ssh-keyscan.1 
> /etc/ssh/ssh_host_rsa_key > /usr/share/man/man1/ssh-add.1 

> /etc/ssh/ssh_host_rsa_key.pub > /usr/share/man/man1/ssh-agent.1 
> /etc/ssh/primes > /usr/share/man/man1/ssh-keygen.1 
> /etc/pam.d/sshd > /usr/share/man/man1/slogin.1 

> /usr/bin/ssh > /ust/share/man/man8/sshd.8 

> /usr/bin/scp > /usr/share/man/man®8/sftp-server.8 
> /usr/bin/ssh-add > /usr/libexec/openssh 

> /usr/bin/ssh-agent > /usr/libexec/openssh/sftp-server 


> /usr/bin/ssh-keygen 


Free SSH Server for Linux 

FreSSH 

FreSSH Homepage: http:/Awww.fressh.org/ 
Free SSH Client for MS Windows 
Putty 


Putty Homepage: http://www.chiark.greenend.org.uk/~sgtatham/putty.html 


Tera Term Pro and TTSSH 


Tera Term Pro Homepage: http://hp.vector.co.jp/authors/VA002416/teraterm.html 
TTSSH Homepage: http://www.zip.com.au/~roca/download.htm! 
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Part V Monitoring & System Integrity Related Reference 
In this Part 


Monitoring & System Integrity - sxid 
Monitoring & System Integrity - Logcheck 
Monitoring & System Integrity - PortSentry 
Monitoring & System Integrity - Tripwire 
Monitoring & System Integrity - Xinetd 


Part V of the book, deals with security tools that we must use to administer our Linux server. 
These tools are very important to us in our daily work of preventing and checking for possible 
attacks, holes, etc that will surely come to our network. They will automate many tasks and will 
help us to administer and keep our Linux servers secure. 


Therefore, | highly recommend you install them and once again, these tools are not a bonus, but 
a requirement that you must have installed on each server on your network. One exception is for 
Xinetd, which is optional and depends of what server and services you have configured. 
Generally, you don’t have to install it, but if you use IMAP & POP servers then you must install it or 
they will not work. For me this is the only reason to install Xinetd. 
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13 Monitoring & System Integrity - sxid 
In this Chapter 


Compiling - Optimizing & Installing sxid 


Configuring sXid 
sXid Administrative Tools 
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Linux sXid 


Abstract 

SUID/SGID files can be a security hazard. To reduce the risks, we have previously removed the 
‘s' bits from root-owned programs that won't require such privileges (See chapter related to 
General System Security), but future and existing files may be set with these ‘s’ bits enabled 
without you being notified. 


sXid is an allin one suid/sgid monitoring program designed to be run by cron ona regular 
basis. Basically it tracks any changes in your s[uglid files and folders. If there are any new ones, 
ones that aren't set any more, or they have changed bits or other modes then it reports the 
changes in an easy to read format via email or on the command line. sxid will automate the task 
to find all SUID/SGID on your server and report them to you. Once installed you can forget it and 
it will do the job for you. 


These installation instructions assume 

Commands are Unix-compatible. 

The source path is /var/tmp (note that other paths are possible, as personal discretion). 
Installations were tested on Red Hat 7.1. 

All steps in the installation will happen using the super-user account “root”. 

Whether kernel recompilation may be required: No 

Latest sXid version number is 4.0.1 


Packages 
The following are based on information as listed by sXid as of 2001/03/25. Please regularly 
check at ftp://marcus.seva.net/pub/sxid/ for the latest status. 


Pristine source code is available from: 

sXid Homepage: ftp://marcus.seva.net/pub/sxid/ 
sXid FTP Site: 137.155.111.51 

You must be sure to download: sxid_4.0.1.tar.gz 


Pristine source 

If you don’t use the RPM package to install this program, it will be difficult for you to locate all 
installed files into the system in the eventuality of an updated in the future. To solve the problem, 
it is a good idea to make a list of files on the system before you install sxid, and one afterwards, 
and then compare them using the diff utility of Linux to find out what files are placed where. 


e Simply run the following command before installing the software: 
root@deep /root find /* > sXidl 


e And the following one after you install the software: 
root@deep /root find /* > sXid2 


e Then use the following command to get a list of what changed: 
root@deep /root diff sXidl sXid2 > sXid-Installed 
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With this procedure, if any upgrade appears, all you have to do is to read the generated list of 
what files were added or changed by the program and remove them manually from your system 
before installing the new software. Related to our example above, we use the /root directory of 
the system to stock all generated list files. 


Compiling - Optimizing & Installing sxid 

Below are the required steps that you must make to configure, compile and optimize the sxid 
software before installing it into your Linux system. First off, we install the program as user 'root' 
so as to avoid authorization problems. 


Step 1 
Once you get the program from the main software site you must copy it to the /var/tmp 
directory and change to this location before expanding the archive. 


e These procedures can be accomplished with the following commands: 
[root@deep /]# cp sxid_version.tar.gz /var/tmp/ 
[root@deep /]# cd /var/tmp/ 
[root@deep tmp]# tar xzpf sxid_version.tar.gz 


Step 2 
After that, move into the newly created sxXid directory then configure and optimize it. 


e Tomove into the newly created sxid directory use the following command: 
[root@deep tmp]# cd sxid-4.0.1/ 


e Toconfigure and optimize sxid use the following compile lines: 
CFLAGS="-03 -march=i686 -mcpu=i686 -funroll-loops -fomit-frame-pointer” \ 
./configure \ 
--prefix=/usr \ 
--sysconfdir=/etc \ 
--mandir=/usr/share/man 








WARNING: Pay special attention to the compile CFLAGS line above. We optimize sXid for an i686 
CPU architecture with the parameter “-march=i686 and -mcpu=i686”. Please don’t forget to 
adjust this CFLAGS line to reflect your own system. 





Step 3 

Now, we must make a list of files on the system before you install the software, and one 
afterwards, then compare them using the diff utility to find out what files are placed where and 
finally install sxid in the server: 


[root@deep sXid-4.0.1]# cd 

[root@deep /root]# find /* > sXid1 

[root@deep /root]# ed /var/tmp/sxid-4.0.1/ 
[root@deep sxid-4.0.1]# make install 

[root@deep sxid-4.0.1]# cd 

[root@deep /root]# find /* > sxXid2 

[root@deep /root]# diff sXidl sXid2 > sXid-Installed 
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The above commands will configure the software to ensure your system has the necessary 
libraries to successfully compile the package, compile all source files into executable binaries, 
and then install the binaries and any supporting files into the appropriate locations. 


Step 4 

Once the compilation, optimization and installation of the software has been finished, we can free 
up some disk space by deleting the program tar archive and the related source directory since 
they are no longer needed. 


e Todelete sXid and its related source directory, use the following commands: 
[root@deep /]# cd /var/tmp/ 
[root@deep tmp]# rm -rf sxid-version/ 
[root@deep tmp]# rm -f sxid_version_tar.gz 


The rm command as used above will remove all the source files we have used to compile and 
install sxid. It will also remove the sXid compressed archive from the /var/tmp directory. 


Configuring sxid 
After building sxid, your next step is to verify or change, if necessary, options in your sXid 
configuration files. These files are: 


¥  /etc/sxid.conf (The sxid Configuration File) 
¥ /etc/cron.daily/sxid (The sxid Cron File) 


/etc/sxid.conf: The sxid Configuration File 

The configuration file for sxid allows you to set options that modify the operation of the program. 
It is well commented and very basic. We must change the default one to fit our requirements and 
operating system. The text in bold are the parts of the configuration file that must be customized 
and adjusted to satisfy our needs. 


Step 1 
Edit the sxid.conf file (vi /etc/sxid.conf) and set your needs. Below is what we 
recommend you. 


Configuration file for sXid 
Note that all directories must be absolute with no trailing /'s 


Where to begin our file search 
EARCH = "/" 


wn 





Which subdirectories to exclude from searching 
EXCLUDE = "/proc /mnt /cdrom /floppy" 














Who to send reports to 
EMAIL = "noc@openna.com" 








Always send reports, even when there are no changes? 
ALWAYS_NOTIFY = "no" 








Where to keep interim logs. This will rotate 'x' number of 
times based on KEEP_LOGS below 
,OG_FILE = "/var/log/sxid.log" 


























How many logs to keep 
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KEEP_LOGS = "5" 











Rotate the logs even when there are no changes? 
ALWAYS_ROTATE = "no" 














Directories where +s is forbidden (these are searched 


























even if not explicitly in SEARCH), EXCLUDE rules apply 
FORBIDDEN = "/home /tmp" 

Remove (-s) files found in forbidden directories? 
ENFORCE = "yes" 


This implies ALWAYS_NOTIFY. It will send a full list of 
entries along with the changes 
LISTALL = "no" 


Ignore entries for directories in these paths 
(this means that only files will be recorded, you 
can effectively ignore all directory entries by 





setting this to "/"). The default is /home since 
some systems have /home gts. 
IGNORE_DIRS = "/home" 





File that contains a list of (each on it's own line) 

of other files that sxid should monitor. This is useful 
for files that aren't +s, but relate to system 
integrity (tcpd, inetd, apache...). 

EXTRA_LIST = "/etc/sxid.list" 








ail program. This changes the default compiled in 

mailer for reports. You only need this if you have changed 
it's location and don't want to recompile sxid. 

MAIL PROG = "/bin/mail" 








Step 2 
Now, for security reasons, change the mode of this file to be 0400. 


e This procedure can be accomplished with the following command: 
[root@deep /]# chmod 400 /etc/sxid.conf 


/etc/cron.daily/sxid: The sxid Cron File 


The sxid file is a small script executed automatically by the crond program of your server each 
day to tracks any changes in your s[ugl]id files and folders. If there are any new ones, ones that 
aren't set any more, or they have changed bits or other modes then it reports the changes. If you 
intend to automate this task, follow the simple steps below. 


ee the sxid script file (touch /etc/cron.daily/sxid) and add the following lines: 
#!/bin/sh 
SXID_OPTS= 
if [ -x /usr/bin/sxid ]; then 


/usr/bin/sxid ${SXID_OPTS} 
fi 
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Step2 
Now, make this script executable and change its permission mode to be 0700. 


e This procedure can be accomplished with the following command: 
[root@deep /]# chmod 700 /etc/cron.daily/sxid 








NOTE: All the configuration files required for each software described in this book has been 
provided by us as a gzipped file, floppy-—2.0.tgz for your convenience. This can be 
downloaded from this web address: ftp://ftp.openna.com/ConfigFiles-v2.0/floppy-2.0.tgz. You can 
unpack this to any location on your local machine, say for example /var/tmp, assuming you 
have done this your directory structure will be /var/tmp/floppy-2.0. Within this floppy 
directory each configuration file has its own directory for respective software. You can either cut 
and paste this directly if you are faithfully following our instructions from the beginning or 
manually edit these to modify to your needs. This facility is there though as a convenience but 
please don't forget ultimately it will be your responsibility to check, verify, etc. before you use 
them whether modified or as it is. 





Further documentation 
For more details, there are some manual pages you can read: 


$ man sxid.conf (5) - Configuration settings for sxid 
$ man sxid (1) - Check for changes in s[ugl]id files and directories 


sXid Administrative Tools 

After your desired configuration options have been set and the program is running, we can play 
with its utility. The sxid software is meant to run as a cronjob. It must run once a day, but busy 
shell boxes may want to run it twice a day. You can also run this manually for spot-checking. 


e Torun sxid manually, use the command: 
[root@deep /]# sxid -k 





sXid Vers : 4.0.1 

Check run : Wed Oct 4 15:42:20 2000 
This host : deep.openna.com 

Spotcheck : /root 

Excluding : /proc /mnt /cdrom /floppy 
Ignore Dirs: /home 

Forbidden : /home /tmp 


(enforcing removal of s[ug]id bits in forbidden paths) 


No changes found 


This checks for changes by recursing the current working directory. Log files will not be rotated 
and no email sent. All output will go to stdout. 


List of installed sxid files in your system 


> /etc/sxid.conf 

> /usr/bin/sxid 

> /usr/share/man/man1/sxid.1 

> /usr/share/man/man65/sxid.conf.5 
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14 Monitoring & System Integrity - Logcheck 
In this Chapter 


Compiling - Optimizing & Installing Logcheck 
Configuring Logcheck 
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Linux Logcheck 


Abstract 

One of the most important tasks in the security world is to regularly check the log files. Often the 
daily activities of an administrator don’t allow them the time to do this task and this can bring 
about problems. 


As explained in the [Logcheck abstract]: 

Don't let the media image fool you, most hackers you'll run across are not very crafty and make a 
lot of noise ratting your system’s door knob...then again they can be as noisy as they want really 
because there is a 99.99% chance the sysadmins won't know anyway <Craig>. 


Auditing and logging system events is important! What is more important is that system 
administrators be aware of these events so they can prevent problems that will inevitably occur if 
you have a system connected to the Internet. Unfortunately for most Unices it doesn't matter how 
much you log activity if nobody ever checks the logs, which is often the case. This is where 
logcheck will help. 


Logcheck automates the auditing process and weeds out "normal" log information to give youa 
condensed look at problems and potential troublemakers mailed to wherever you please. 
Logcheck is a software package that is designed to automatically run and check system log files 
for security violations and unusual activity. Logcheck utilizes a program called logtail that 
remembers the last position it read from in a log file and uses this position on subsequent runs to 
process new information. 





These installation instructions assume 

Commands are Unix-compatible. 

The source path is /var/tmp (note that other paths are possible, as personal discretion). 
Installations were tested on Red Hat 7.1. 

All steps in the installation will happen using the super-user account “root”. 

Whether kernel recompilation may be required: No 

Latest Logcheck version number is 1.1.1 


Packages 
The following are based on information as listed by Abacus as of 2001/03/25. Please regularly 
check at http://www.psionic.com/abacus/logcheck/ for the latest status. 


Pristine source code is available from: 


Logcheck Homepage Site: http://www. psionic.com/abacus/logcheck/ 
You must be sure to download: logcheck-1.1.1.tar.gz 
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Pristine source 

If you don’t use the RPM package to install this program, it will be difficult for you to locate all 
installed files into the system in the eventuality of an updated in the future. To solve the problem, 
it is a good idea to make a list of files on the system before you install Logcheck, and one 
afterwards, and then compare them using the diff utility of Linux to find out what files are 
placed where. 


e Simply run the following command before installing the software: 
root@deep /root find /* > Logcheck1l 


e And the following one after you install the software: 
root@deep /root find /* > Logcheck2 


e Then use the following command to get a list of what changed: 
root@deep /root diff Logcheckl Logcheck2 > Logcheck-Installed 

















With this procedure, if any upgrade appears, all you have to do is to read the generated list of 
what files were added or changed by the program and remove them manually from your system 
before installing the new software. Related to our example above, we use the /root directory of 
the system to stock all generated list files. 


Compiling - Optimizing & Installing Logcheck 

Below are the required steps that you must make to configure, compile and optimize the 
lLogcheck software before installing it into your Linux system. First off, we install the program as 
user ‘root’ so as to avoid authorization problems. 


Step 1 
Once you get the program from the main software site you must copy it to the /var/tmp 
directory and change to this location before expanding the archive. 


e These procedures can be accomplished with the following commands: 
[root@deep /]# cp logcheck-version.tar.gz /var/tmp/ 
[root@deep /]# cd /var/tmp/ 

[root@deep tmp]# tar xzpf logcheck-version.tar.gz 


Step 2 

After that, move into the newly created Logcheck directory and modify some of its files as shown 
below to specify the installation paths, configuration, compilation and optimizations flags for your 
Linux system. We must hack those files to be compliant with Linux file system structure and 
install/optimize Logcheck under our PATH Environment variable. 


e To move into the newly created Logcheck directory use the following command: 
[root@deep tmp]# ed logcheck-1.1.1/ 
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The first file that we will work on it is named logcheck.sh located under the /systems/linux 
subdirectory of the Logcheck source directory. Into this file, we will change the default location of 
different Logcheck configuration files. 


Edit the logcheck.sh file (vi +34 systems/linux/logcheck.sh) and change all 
of the targeted lines in the order shown below: 


vi +34 systems/linux/logcheck.sh and change the line: 
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/ucb:/usr/local/bin 
To read: 


PATH=/bin:/sbin:/usr/bin: /usr/sbin 


vi +47 systems/linux/logcheck.sh and change the line: 
LOGTAIL=/usr/local/bin/logtail 
To read: 


LOGTAIL=/usr/sbin/logtail 


vi +55 systems/linux/logcheck.sh and change the line: 
TMPDIR=/usr/local/etc/tmp 
To read: 


TMPDIR=/tmp/logcheck$$—SRANDOM 


vi +92 systems/linux/logcheck.sh and change the line: 
HACKING_FILE=/usr/local/etc/logcheck.hacking 
To read: 


HACKING_FILE=/etc/logcheck/logcheck.hacking 


vi +101 systems/linux/logcheck.sh and change the line: 


VIOLATIONS_FILE=/usr/local/etc/logcheck.violations 





To read: 


VIOLATIONS_FILE=/etc/logcheck/logcheck.violations 
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vi +118 systems/linux/logcheck.sh and change the line 





VIOLATIONS_IGNORE_FILE=/usr/local/etc/logcheck.violations.ignore 











To read: 


VIOLATIONS_IGNORE_FILE=/etc/logcheck/logcheck.violations.ignore 


vi +125 systems/linux/logcheck.sh and change the line 














IGNORE_FILE=/usr/local/etc/logcheck.ignore 


To read: 


IGNORE_FILE=/etc/logcheck/logcheck.ignore 


vi +148 systems/linux/logcheck.sh and add the following two lines between: 


rm -f STMPDIR/check.$$S STMPDIR/checkoutput.$$ STMPDIR/checkreport.$$ 
rm -rf $STMPDIR 
mkdir STMPDIR 
if [ -f£ STMPDIR/check.$$ -o -f£ STMPDIR/checkoutput.$$ -o -f 
STMPDIR/checkreport.$$ J]; then 
echo "Log files exist in $TMPDIR directory that cannot be 
removed. This 
may be an attempt to spoof the log checker." \ 
| SMAIL -s "S$HOSTNAME SDATE ACTIVE SYSTEM ATTACK!" SSYSADMIN 
exit 1 


























vi +224 systems/linux/logcheck.sh and add the following one line between: 


if [ ! -s $TMPDIR/check.S$ ]; then 
rm -f£ STMPDIR/check.$$ 
rm -rf $TMPDIR 
exit 0 


vi +274 systems/linux/logcheck.sh and add the following one line between: 


# Clean Up 
rm -f STMPDIR/check.$S STMPDIR/checkoutput.$$ STMPDIR/checkreport.$$ 
rm -rf $STMPDIR 
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Step 2.2 

The second and final file that we must modify is the Makefile of Logcheck. As for the 
logcheck.sh file above, we will change the default location of some Logcheck files and 
binaries. Also we will be adding our optimization flags to this Makefile file to speed up our 
Logcheck software. 


Edit the Makefile file (vi +9 Makefile) and change all of the targeted lines in the 
order shown below: 


vi +9 Makefile andchange the line: 


CC = cc 
To read: 
CC = gcc 


vi +14 Makefile and change the line: 


CFLAGS = -O 
To read: 
CFLAGS = -03 -march=i686 -mcpu=i686 -funroll-loops -fomit-—frame-pointer 








WARNING: Pay special attention to the compile CFLAGS line above. We optimize Logcheck for an 
i686 CPU architecture with the parameter “-march=i686 and —-mcpu=i686”. Please don’t forget 
to adjust this CFLAGS line to reflect your own system and architecture. 





Cc) 


vi +22 Makefile and change the line: 
INSTALLDIR = /usr/local/etc 
To read: 


INSTALLDIR = /etc/logcheck 


vi +25 Makefile and change the line: 
INSTALLDIR_BIN = /usr/local/bin 


To read: 


INSTALLDIR_BIN = /usr/sbin 
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e) vi +30 Makefile and change the line: 


INSTALLDIR_SH = /usr/local/etc 


To read: 


INSTALLDIR_SH /usr/sbin 


f) vi +66 Makefile and change/remove the lines: 


@echo "Creating temp directory $(TMPDIR)" 

@if [ ! -d $(TMPDIR) ]; then /bin/mkdir $(TMPDIR); fi 
@echo "Setting temp directory permissions" 

chmod 700 $(TMPDIR) 


To read: 
#@echo "Creating temp directory $(TMPDIR)" 
#@if [ ! -d S(TMPDIR) ]; then /bin/mkdir $(TMPDIR); fi 


#@echo "Setting temp directory permissions" 
#chmod 700 $ (TMPDIR) 


g) vi +75 Makefile and change the line: 


cp ./systems/S$(SYSTYPE) /logcheck.sh $(INSTALLDIR_SH) 





To read: 


cp ./systems/$ (SYSTYPE) /logcheck.sh $ (INSTALLDIR_SH) /logcheck 


h) vi +78 Makefile and change the line: 


chmod 700 $(INSTALLDIR_SH) /logcheck.sh 


To read: 


chmod 700 $(INSTALLDIR_SH) /logcheck 


Step 3 

Now, we must make a list of files on the system before you install the software, and one 
afterwards, then compare them using the diff utility to find out what files are placed where and 
finally install Logcheck in the server: 


root@deep logcheck-1.1.1]# cd 

root@deep /root]# find /* > Logcheckl 

root@deep /root]# cd /var/tmp/logcheck-1.1.1/ 

root@deep logcheck-1.1.1]# mkdir -m700 /etc/logcheck 

root@deep logcheck-1.1.1]# make linux 

root@deep logcheck-1.1.1]# cd 

root@deep /root]# find /* > Logcheck2 

root@deep /root]# diff Logcheck1 Logcheck2 > Logcheck-Installed 
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The above commands will configure the software for the Linux operating system, compile all 
source files into executable binaries, and then install the binaries and any supporting files into the 
appropriate locations. The changes made to the Logcheck files will configure the software to use 
the compiler optimization flags specific to our system, and locate all files related to Logcheck 
software to the destination target directories we have chosen to be compliant with the Linux file 
system structure. 


Step 4 

Once compilation, optimization and installation of the software have been finished, we can free up 
some disk space by deleting the program tar archive and the related source directory since they 
are no longer needed. 


e Todelete Logcheck and its related source directory, use the following commands: 
[root@deep /]# cd /var/tmp/ 
[root@deep tmp]# rm -rf logcheck-version/ 
[root@deep tmp]# rm -f logcheck-version.tar.gz 


The rm command as used above will remove all the source files we have used to compile and 
install Logcheck. It will also remove the Logcheck compressed archive from the /var/tmp 
directory. 


Configuring Logcheck 
After building Logcheck, your next step is to verify or change, if necessary, the options in your 
Logcheck configuration files. Those files are: 


¥ /etc/logcheck/logcheck.hacking 

¥ /etc/logcheck/logcheck.ignore 

¥ /etc/logcheck/logcheck.violations 

¥ /etc/logcheck/logcheck.violations.ignore 











From the default install, there is no Logcheck configuration files to modify, the default entries 
look fine and if you want to make some personal adjustment, all you have to do is to edit the 
related Logcheck configuration file. More information about the operation of each one is 
contained into the INSTALL file of Logcheck under its uncompressed source directory. 


Step 1 

Although the fact that there is no Logcheck configuration files to change, the last action to make 
before using the program is to automate it, to do that, create a file named logcheck under the 
/etc/cron.daily directory and add the following lines to set Logcheck to run once per day. 


e Tocreate the Logcheck file under /etc/cron.daily directory with its required lines to 
run once per day, type the following lines in your terminal (as root): 


cat <<EOF > /etc/cron.daily/logcheck 

# !/bin/sh 

# Daily check Log files for security violations and unusual activity 
/usr/sbin/logcheck 

EOF 
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Step 2 
Now, make this script executable and change its mode to be 0700. 


e This procedure can be accomplished with the following command: 
[root@deep /]# chmod 700 /etc/cron.daily/logcheck 








WARNING: Remember, in our configuration and installation, Logcheck does not report anything 
via email if it has nothing useful to say. 





List of installed Logcheck files in your system 


> /etc/cron.daily/logcheck 

> /etc/logcheck 

> /etc/logcheck/logcheck. hacking 

> /etc/logcheck/logcheck.ignore 

> /etc/logcheck/logcheck.violations 

> /etc/logcheck/logcheck.violations.ignore 
> /usr/sbin/logcheck 

> /ust/sbin/logtail 
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15 Monitoring & System Integrity - PortSentry 
In this Chapter 


Compiling - Optimizing & Installing PortSentry 
Configuring Portsentry 
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Linux PortSentry 


Abstract 

Firewalls help us to protect our network from intruders. With them we can choose which ports we 
want to open and which ones we don't. This information is kept private by your organization. 
Nobody on the outside knows this information, but attackers, as well as spammers, know that for 
some kinds of attacks you can use a special program to scan all the ports on a server to gleam 
this valuable information (what is open and what is not). 


As explained in the [PortSentry abstract]: 

A port scan is a symptom of a larger problem coming your way. It is often the pre-cursor for an 
attack and is a critical piece of information for properly defending your information resources. 
PortSentry is a program designed to detect and respond to port scans against a target host in 
real-time and has a number of options to detect port scans. When it finds one it can react in the 
following ways: 


¥  A\log indicating the incident is made via syslog(). 
v¥_ The target host is automatically dropped. 


¥_ The local host is automatically re-configured to route all traffic to the target to a dead host 
to make the target system disappear. 


v¥ The local host is automatically re-configured to drop all packets from the target via a local 
packet filter. 


The purpose of this is to give an admin a heads up that their host is being probed. 


These installation instructions assume 

Commands are Unix-compatible. 

The source path is /var/tmp (note that other paths are possible, as personal discretion). 
Installations were tested on Red Hat 7.1. 

All steps in the installation will happen using the super-user account “root”. 

Whether kernel recompilation may be required: No 

Latest PortSentry version number is 1.0 


Packages 
The following is based on information as listed by Abacus as of 2001/03/25. Please regularly 
check at http://www.psionic.com/abacus/portsentry/ for the latest status. 


Pristine source code is available from: 


PortSentry Homepage Site: http://www.psionic.com/abacus/portsentry/ 
You must be sure to download: portsentry-1.0.tar.gz 
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Pristine source 

If you don’t use the RPM package to install this program, it will be difficult for you to locate all 
installed files into the system in the eventuality of an updated in the future. To solve the problem, 
it is a good idea to make a list of files on the system before you install Port Sentry, and one 
afterwards, and then compare them using the diff utility of Linux to find out what files are 
placed where. 


e Simply run the following command before installing the software: 
root@deep /root find /* > PortSentryl 


e And the following one after you install the software: 
root@deep /root find /* > PortSentry2 


e Then use the following command to get a list of what changed: 
root@deep /root diff PortSentryl PortSentry2 > PortSentry-Installed 

















With this procedure, if any upgrade appears, all you have to do is to read the generated list of 
what files were added or changed by the program and remove them manually from your system 
before installing the new software. Related to our example above, we use the /root directory of 
the system to stock all generated list files. 


Compiling - Optimizing & Installing PortSentry 

Below are the required steps that you must make to configure, compile and optimize the 
PortSentry software before installing it into your Linux system. First off, we install the program 
as user 'root' so as to avoid authorization problems. 


Step 1 
Once you get the program from the main software site you must copy it to the /var/tmp 
directory and change to this location before expanding the archive. 


e These procedures can be accomplished with the following commands: 
[root@deep /]# cp portsentry-version.tar.gz /var/tmp/ 
[root@deep /]# cd /var/tmp/ 

[root@deep tmp]# tar xzpf portsentry-version.tar.gz 


Step 2 

After that, move into the newly created Port Sentry directory and modify some of its files as 
shown below to specify the installation paths, configuration, compilation and optimizations flags 
for your Linux system. We must hack those files to be compliant with Linux file system structure 
and install/optimize Port Sentry under our PATH Environment variable. 


e To move into the newly created PortSentry directory use the following command: 
[root@deep tmp]# cd portsentry-1.0/ 
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Step 2.1 
The first file that we will work on it is named portsentry.conf located under the source 


directory of PortSentry. In this file, we will change the default location of different PortSentry 
configuration files. 


e Edit the portsentry.conf file (vi +83 portsentry.conf) and change all of the 
targeted lines in the order shown below: 








IGNORE_FILE="/usr/local/psionic/portsentry/portsentry.ignore" 








To read: 


IGNORE_FILE="/etc/portsentry/portsentry.ignore" 


vi +85 portsentry.conf and change the line 





HISTORY_FILE="/usr/local/psionic/portsentry/portsentry.history" 


To read: 


HISTORY_FILE="/var/log/portsentry/portsentry.history" 


vi +87 portsentry.conf andchange the line 














BLOCKED_FILE="/usr/local/psionic/portsentry/portsentry.blocked" 


To read: 


BLOCKED_FILE="/var/log/portsentry/portsentry.blocked" 


Step 2.2 
The second file that we will modify is the portsentry_config.h header file. Under this file, we 
will change the default install location of the configuration file for Port Sentry. 


e Edit the portsentry_config.hfile (vi +34 portsentry_config.h) and change 
the following line: 


#define CONFIG_FILE "/usr/local/psionic/portsentry/portsentry.conf" 





To read: 


#define CONFIG FILE "/etc/portsentry/portsentry.conf" 
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Step 2.3 
The final file that we must modify is the Makefile of PortSentry. The changes we make to 
this file is to addi our optimization flags to speed up our PortSentry software. 


e =6Edit the Makefile file (vi +24 Makefile) and change all of the targeted lines in the 
order shown below: 


CG. =-ce 
To read: 
CC = gcc 


vi +29 Makefile and change the line: 


CFLAGS = -O -Wall 

To read: 

CFLAGS = -03 -march=i686 -mcpu=i686 -funroll-loops -fomit-—frame-pointer 
-Wall 


vi +38 Makefile and change the line: 
INSTALLDIR = /usr/local/psionic 
To read: 


INSTALLDIR 


/etc 








WARNING: Pay special attention to the compile CFLAGS line above. We optimize Portsentry for 
an i686 CPU architecture with the parameter “-march=i686 and -mcpu=i686”. Please don’t 
forget to adjust this CFLAGS line to reflect your own system. 





Step 3 

Now, we must make a list of files on the system before you install the software, and one 
afterwards, then compare them using the diff utility to find out what files are placed where and 
finally install Port Sentry in the server: 
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root@deep portsentry-1.0 cd 
root@deep /root]# find /* > PortSentryl 
root@deep /root]# ced /var/tmp/portsentry-1.0/ 
root@deep portsentry-1.0 make linux 
root@deep portsentry-1.0 install -m700 -s portsentry /usr/sbin/ 
root@deep portsentry-1.0 mkdir -p -m700 /etc/portsentry 
root@deep portsentry-1.0 install -m600 portsentry.conf /etc/portsentry/ 
root@deep portsentry-1.0 install -m600 portsentry.ignore /etc/portsentry/ 
root@deep portsentry-1.0 touch /etc/portsentry/portsentry.modes 
root@deep portsentry-1.0 chmod 600 /etc/portsentry/portsentry.modes 
root@deep portsentry-1.0 mkdir -p -m700 /var/log/portsentry 
root@deep portsentry-1.0 touch /var/log/portsentry/portsentry.blocked 
root@deep portsentry-1.0 touch /var/log/portsentry/portsentry.history 
root@deep portsentry-1.0 cd 
root@deep /root]# find /* > PortSentry2 
root@deep /root]# diff PortSentryl PortSentry2 > PortSentry-Installed 


The above commands will configure the software for the Linux operating system, compile all 
source files into executable binaries, and then install the binaries and all files related to 
Portsentry software to the destination target directories we have chosen. 


Step 4 

Once configuration, compilation, optimization and installation of the software have been finished, 
we can free up some disk space by deleting the program tar archive and the related source 
directory since they are no longer needed. 


e Todelete PortSentry and its related source directory, use the following commands: 
[root@deep /]# cd /var/tmp/ 
[root@deep tmp]# rm -rf portsentry-version/ 
[root@deep tmp]# rm -f portsentry-version.tar.gz 


The rm command as used above will remove all the source files we have used to compile and 
install Port Sentry. It will also remove the Port Sentry compressed archive from the 
/var/tmp directory. 


Configuring PortSentry 
After building PortSentry, your next step is to verify or change, if necessary, options in your 
PortSentry configuration files. Those files are: 


¥ /etc/portsentry/portsentry.conf (The PortSentry Configuration File) 
¥ /etc/portsentry/portsentry.ignore (The PortSentry Ignore File) 

¥ /etc/portsentry/portsentry.modes (The PortSentry Modes File) 

¥ /etc/rce.d/init.d/portsentry (The PortSentry Initialization File) 

¥ /etc/logrotate.d/portsentry (The PortSentry Log Rotation File) 


/etc/portsentry/portsentry.conf: The PortSentry Config File 

The portsentry.conf file is the main configuration file for Port Sentry, which allows you to 
set options that modify the operation of the program. It is well commented and very basic. We 
must change the default one to fit our requirements and operating system. 
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From this configuration file you can specify which ports you want PortSentry to listen to, which 
IP addresses are denied, monitor, ignore, disables automatic responses, and so on. For more 
information read the README. install file under the Port Sentry uncompressed source 
directory. The text in bold are the parts of the configuration file that must be customized and 
adjusted to satisfy our needs. 














e Edit the portsentry.conf file (vi /etc/portsentry/portsentry.conf) and set 
your needs. Below is what we recommend you. 


PortSentry Configuration 


SId: portsentry.conf,v 1.13 1999/11/09 02:45:42 crowland Exp crowland $ 








IMPORTANT NOTE: You CAN NOT put spaces between your port arguments. 
The default ports will catch a large number of common probes 

All entries must be in quotes. 

HEEHEEE HEE HE HEHE HE HH HE EE 


Port Configurations # 
HEEHEEEH EE HE HEHE HE HHH HE 








Some example port configs for classic and basic Stealth modes 


I like to always keep some ports at the "low" end of the spectrum. 
This will detect a sequential port sweep really quickly and usually 
these ports are not in use (i.e. tcpmux port 1) 


** X-Windows Users **: If you are running X on your box, you need to be 
sure 

you are not binding PortSentry to port 6000 (or port 2000 for 
OpenWindows users). 

Doing so will prevent the X-client from starting properly. 





These port bindings are *ignored* for Advanced Stealth Scan Detection 
Mode. 





Un-comment these if you are really anal: 
TCP_PORTS="1,7,9,11,15,70,79,80,109,110,111,119,138,139,143,512,513,514, 
515,540, 635,1080,1524,2000,2001, 4000, 4001,5742, 6000, 6001, 6 
667,12345,12346, 20034, 30303, 32771, 32772, 32773, 32774, 31337, 40421, 40425, 497 
24,54320" 

#UDP_PORTS="1,7,9, 66, 67,68, 69,111,137,138,161,162,474,513,517,518, 635, 640 

, 641,666, 700, 2049, 32770, 32771, 32772, 32773, 32774, 31337, 5432 
1 
# 

# Use these if you just want to be aware: 
TCP_PORTS="1,11,15,79,111,119,143,540, 635,1080,1524, 2000, 5742, 6667,12345, 
12346, 20034, 31337, 32771, 32772, 32773, 32774, 40421, 49724, 54320" 
UDP_PORTS="1,7,9,69,161,162,513,635,640,641,700,32770,32771,32772,32773,32774,31337,5 
4321" 

# 

# Use these for just bare-bones 
#TCP_PORTS="1,11,15,110,111,143, 540, 635,1080, 524, 2000, 12345,12346, 20034, 3 
2771,32772, 32773, 32774, 49724, 54320" 
#UDP_PORTS="1,7,9,69,161,162,513, 640, 700, 32770, 32771, 32772, 32773, 32774, 31 
337,54321" 
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On many Linux systems you cannot bind above port 61000. 
these ports are used as part of IP masquerading. 
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HEE EH HE EE EEE HE HHH HEE RE EEE EE EE HEE EE HEE EE 
Advanced Stealth Scan Detection Options # 
Hea E EE HEH HE EEE HE EEE EE EE HE EE EE EE HE HEE HHH 


This is the number of ports you want PortSentry to monitor in Advanced 


Any port *below* this number will be monitored. Right now it watches 
everything below 1023. 


This is because 
I don't recommend you 
I DON'T RECOMMEND YOU 
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Don't write me if you have have a problem because I'll 


you to RTFM and don't run above the first 1023 ports. 


(besides listening daemons) to 





This is helpful for services lik 
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in effect PortSentry treats them as if they are 
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Ft 
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The default ports ar 


NetBIOS, 
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P ident and NetBIOS service 


bootp broadcasts. 


E="/etc/portsentry/portsentry.ignore" 
have been denied (running history) 
="/var/log/portsentry/portsentry.history" 
have been denied this session only 


(temporary until next 


E="/var/log/portsentry/portsentry.blocked" 


Each is an action that will 


If you don't want a particular 
will be skipped. 


ETS will be substituted with the target attacking 


The variable SPORTS will be 
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HEHEHE EE EEE RE HEE 

Ignore Options # 
HEHEHE HE EEE HE EE 

These options allow you to enable automatic response 
options for UDP/TCP. This is useful if you just want 
warnings for connections, but don't want to react for 

a particular protocol (i.e. you want to block TCP, but 

not UDP). To prevent a possible Denial of service attack 
against UDP and stealth scan detection for TCP, you may 
want to disable blocking, but leave the warning enabled. 

I personally would wait for this to become a problem before 
doing though as most attackers really aren't doing this. 
The third option allows you to run just the external command 
in case of a scan to have a pager script or such execute 
but not drop the route. This may be useful for some admins 
who want to block TCP, but only want pager/e-mail warnings 
on UDP, etc. 








0 = Do not block UDP/TCP scans. 
1 = Block UDP/TCP scans. 
2 = Run external command only (KILL_RUN_CMD) 


LOCK_UDP="1" 
LOCK_TCP="1" 


HERRERA EE HEE HEE 
Dropping Routes: # 
HERE EREE EHH RHEE 
T 
a 








his command is used to drop the route or add the host into 
local filter table. 








The gateway (333.444.555.666) should ideally be a dead host on 
the *local* subnet. On some hosts you can also point this at 
localhost (127.0.0.1) and get the sam ffect. NOTE THAT 
333.444.555.66 WILL *NOT* WORK. YOU NEED TO CHANGE IT!! 


















































All KILL ROUTE OPTIONS ARE COMMENTED OUT INITIALLY. Make sure you 
uncomment the correct line for your OS. If you OS is not listed 
here and you have a route drop command that works then please 
mail it to me so I can include it. ONLY ONE KILL_ROUTE OPTION 

CAN BE USED AT A TIME SO DON'T UNCOMMENT MULTIPLE LINES. 









































NOTE: The route commands are the least optimal way of blocking 
and do not provide complete protection against UDP attacks and 
will still generate alarms for both UDP and stealth scans. I 
always recommend you use a packet filter because they are mad 
for this purpose. 


























KILL_ROUTE="/sbin/route add $TARGETS 333.444.555.666" 








Generic Linux 
KILL_ROUTE="/sbin/route add -host STARGETS gw 333.444.555.666" 























Newer versions of Linux support the reject flag now. This 
is cleaner than the above option. 
KILL_ROUTE="/sbin/route add —-host STARGETS reject" 


Generic BSD (BSDI, OpenBSD, NetBSD, FreeBSD) 
KILL_ROUTE="/sbin/route add S$TARGETS 333.444.555.666" 
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Generic Sun 
KILL_ROUTE="/usr/sbin/route add STARGETS 333.444.555.666 1" 














NEXTSTEP 
KILL_ROUTE="/usr/etc/route add STARGETS 127.0.0.1 1" 

















FreeBSD (Not well tested.) 
KILL_ROUTE="route add -net STARGETS -netmask 255.255.255.255 127.0.0.1 - 
blackhole" 




















Digital UNIX 4.0D (OSF/1 / Compaq Tru64 UNIX) 
KILL_ROUTE="/sbin/route add —-host -blackhole $TARGETS 127.0.0.1" 











Generic HP-UX 
ROUTE="/usr/sbin/route add net $TARGETS netmask 255.255.255.0 























Using a packet filter is the preferred method. The below lines 
work well on many OS's. Remember, you can only uncomment *one* 
KILL_ROUTE option. 

# 








For those of you running Linux with ipfwadm installed you may like 
this better as it drops the host into the packet filter. 

You can only have one KILL_ROUTE turned on at a time though. 

This is the best method for Linux hosts. 




















KILL_ROUTE="/sbin/ipfwadm -I -i deny -S STARGETS -o" 


E 





This version does not log denied packets after activation 
KILL_ROUTE="/sbin/ipfwadm -I -i deny -S STARGETS" 























New ipchain support for Linux kernel version 2.102+ 
KILL_ROUTE="/sbin/ipchains -I input -s S$TARGETS -—j DENY -l1" 





























For those of you running FreeBSD (and compatible) you can 
use their built in firewalling as well. 


KILL_ROUTE="/sbin/ipfw add 1 deny all from STARGETS:255.255.255.255 to 





REE E E HHE E HEE 

















This text will be dropped into the hosts.deny file for wrappers 
to use. There are two formats for TCP wrappers: 


Format One: Old Style - The default when extended host processing 
options are not enabled. 


#KILL_HOSTS_DENY="ALL: S$TARGETS" 








Format Two: New Styl The format used when extended option 
processing is enabled. You can drop in extended processing 
options, but be sure you escape all '%' symbols with a backslash 
to prevent problems writing out (i.e. \%c \%Sh ) 











KILL_HOSTS_DENY="ALL: STARGETS : DENY" 














He 


Hat tH HE HH HH HH HH 
External Command# 














328 


you want 
route is 








KI 


# 


# 





Enter in 
alarm is 





probably 


he 


NOT TE 





Advanced 


SSL [TCP 
may even 








SCAN_TRIGGI 


FETE H EE HH 


HEE H HEE HH 








Enter 
PortSentry 
I *don't 
Leave 





Stealt 
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HEHE HH 

command that is 
it to be (pager, 
dropped. I NEVER 
HOST SCANNING 
can make scans 
(and I 


run when a host connects, it can be whatever 
etc.). This command is executed before th 
RECOMMEND YOU PUT IN RETALIATORY ACTIONS 
YOU. TCP/IP is an *unauthenticated protocol* 
appear out of thin air. The only time it 
*never* think it is reasonable) to run 
"classic" -tcp mode. This 

hard to spoof. 





























Py 








LL_RUN_CMD="/some/path/here/script STARGETS SPORTS" 


HERE HEHE HEE HEE 
Scan trigger value# 
HERE HEHE HHH HEH 


the number of port connects you will allow before an 
given. The default is 0 which will react immediately. 
Anything higher is 
t always be specified, but 


not necessary. This value mus 


tection option you need to 
trigger situation. Because 
t connecting to a non-used 
he opportunity to really 
tries to connect to you via 
Some of you 


you are using the advanced de 


mode will react for *any* hos 
you have t 
(24 someone innocently 
port 443] and you immediately block them). 
want this though. Just be careful. 








BER="09" 


HEE EREE HEE SH 


Port Banner Section# 





HEE EHEEEH HEH 


text in here you want displayed to a person tripping the 


* recommend taunting the person as this will aggravate them. 


this commented out to disable the feature 


h scan detection modes don't use this feature 


PORT_BANNER="** UNAUTHORIZED ACCESS PROHIBITED *** YOUR CONNECTION 
ATTEMPT HAS BEEN LOGGED. GO AWAY." 


# 





OF 


Edit the por 
and addina 


/etc/portsentry/portsentry.ignore: 

The portsentry.ignore file is where you add any host you want to be ignored if it connects to 
a tripwired port. This 
of the local interfaces (lo). It is not recommend that you put in every IP on your network. It is 
well commented and very simple to understand. 


should always contain at least the localhost (127.0.0.1) andthe IP's 


tsentry.ignore file (vi /etc/portsentry/portsentry.ignore) 
ny host you want to be ignored if it connects to a tripwired port. Below is 


what we recommend. 
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# Put hosts in here you never want blocked. This includes the IP 
addresses of all local interfaces on the protected host (i.e virtual 
host, mult-home) Keep 127.0.0.1 and 0.0.0.0 to keep people from playing 
games. 

127.0.0.1 
0.0.0.0 


/etc/portsentry/portsentry.modes: The PortSentry Modes File 

The PortSentry program can be configured in six different modes of operation, but be aware 
that only one protocol mode type can be started at a time. To be more accurate, you can start 
one TCP mode and one UDP mode, so two TCP modes and one UDP mode, for example, won't 
work. 


The available PortSentry modes are: 


portsentry -tcp (Basic port-bound TCP mode) 

portsentry -udp (Basic port-bound UDP mode) 

portsentry -stcp (Stealth TCP scan detection mode) 

portsentry -sudp ("Stealth" UDP scan detection mode) 

portsentry -atcp (Advanced "Stealth" TCP scan detection mode) 
( 


portsentry -audp Advanced "Stealth" UDP scan detection mode) 


LN N NAN 


For the best use of this software it is preferable to start Port Sentry in Advanced TCP stealth 
scan detection mode and stealth UDP scan detection mode. For information about the other 
modes available, please refer to the README. install and README. stealth file under the 
PortSentry source directory. 























With the Advanced TCP stealth scan detection mode “-atcp”, PortSentry will first check to 
see what ports you have running on your server, then remove these ports from monitoring and 
will begin watching the remaining ports. This is very powerful and reacts exceedingly quickly for 
port scanners. It also uses very little CPU time. This mode is the most sensitive and the most 
effective of all the protection options. With the stealth UDP scan detection mode “-sudp”, the 
PortSentry UDP ports will be listed and then monitored. 


The six different modes of operation under which PortSentry can operate must be specified in 
the configuration file named portsentry.modes located in the /etc/portsentry/ directory. 
We can add inside this file all the six possible modes of Port Sentry, then uncomment the two 
you want to use for the Linux server. 


e Edit the portsentry.modes file (vi /etc/portsentry/portsentry.modes) and 
add the following lines inside it. Below is what we recommend you. 


Place whitespace dilineated modes below. 
Blank lines and pound deliniated comments are ignored. 








Lee 
udp 
stcp 
atcp 
sudp 
audp 
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/etc/re.d/init.d/portsentry: The PortSentry Initialization File 
The /etc/rce.d/init.d/portsentry script file is responsible to automatically start and stop 
the PortSentry daemon on your Server. 


Step 1 
Create the portsentry script file (touch /etc/rce.d/init.d/portsentry) and add the 
following lines inside it: 


! /bin/sh 
portsentry Start the portsentry Port Scan Detector 
Author: Craig Rowland <crowland@psionic.com> 


chkconfig: 345 98 05 

description: PortSentry Port Scan Detector is part of the Abacus Project \ 
suite of tools. The Abacus Project is an initiative to release \ 
low-maintenance, generic, and reliable host based intrusion \ 
detection software to the Internet community. 

processname: portsentry 

configfile: /etc/portsentry/portsentry.conf 

pidfile: /var/run/portsentry.pid 











Source function library. 
/etc/re.d/init.d/functions 


Get config. 
/etc/sysconfig/network 





Check that networking is up. 





if [ S{NETWORKING} = "no" ] 
then 
exit 0 
fi 
-f /usr/sbin/portsentry ] || exit 0 








Ss how we were called. 
case "S1" in 











start) 
echo -n "Starting Port Scan Detector: " 
if [ -s /etc/portsentry/portsentry.modes ] ; then 
modes=*cut -d "#" -f 1 /etc/portsentry/portsentry.modes~ 
else 
modes="tcp udp" 
fi 
for i in Smodes ; do 
portsentry -Si 
echo -n "Si " 
done 
echo 
touch /var/lock/subsys/portsentry 
‘7 
stop) 
echo -n "Stopping Port Scan Detector: " 
killproc portsentry 
echo 
rm -f£ /var/lock/subsys/portsentry 
‘7 
status) 


status portsentry 
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restart |reload) 


Step 2 


SO stop 
SO start 


mr 


echo "Usage: 
exit 1 
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portsentry {start|stop|status|restart|reload}" 


Once the portsentry script file has been created, it is important to make it executable and 
change its default permissions. Making this file executable will allow the system to run it, 
changing its default permission is to allow only the root user to change this file for security 
reasons. 


To make this script executable and to change its default permissions, use the command: 


root@deep / 
root@deep / 


To create the sy 
root@deep / 
root@deep / 


chmod 700 /etc/rce.d/init.d/portsentry 
chown 0.0 /etc/re.d/init.d/portsentry 


mbolic rc.d links for PortSentry, use the following command: 
chkconfig --add portsentry 
chkconfig --level 345 portsentry on 


e Tostart PortSentry software manually, use the following command: 
root@deep / /etc/rce.d/init.d/portsentry start 


Starting Port Scan Detector: [OK] 


iS 














/etc/logrotate.d/portsentry: The PortSentry Log Rotation File 
The /etc/logrotate.d/portsentry file is responsible to rotate log files related to 
PortSentry software automatically each week via syslog. If you are not familiar with syslog, 
look at the syslog.conf (5) manual page for a description of the syslog configuration file, or 
the syslogd (8) manual page for a description of the syslogd daemon. 

e Create the portsentry file (touch /etc/logrotate.d/portsentry) and add the 
following lines inside it: 


/var/log/portsentry/portsentry.blocked { 
postrotate 

/usr/bin/killall 
endscript 


-HUP portsentry 
} 


/var/log/portsentry/portsentry.blocked.atcp { 
postrotate 
/usr/bin/killall 
endscript 


-HUP portsentry 
} 


/var/log/portsentry/portsentry.blocked.sudp { 
postrotate 

/usr/bin/killall 
endscript 


-HUP portsentry 


332 


PortSentry | 1 
CHAPTER|/5 


} 


/var/log/portsentry/portsentry.history { 
postrotate 
/usr/bin/killall -HUP portsentry 
endscript 








NOTE: All the configuration files required for each software described in this book has been 
provided by us as a gzipped file, floppy-—2.0.tgz for your convenience. This can be 
downloaded from this web address: ftp://ftp.openna.com/ConfigFiles-v2.0/floppy-2.0.tgz. You can 
unpack this to any location on your local machine, say for example /var/tmp, assuming you 
have done this your directory structure will be /var/tmp/floppy-2.0. Within this floppy 
directory each configuration file has its own directory for respective software. You can either cut 
and paste this directly if you are faithfully following our instructions from the beginning or 
manually edit these to modify to your needs. This facility is there though as a convenience but 
please don't forget ultimately it will be your responsibility to check, verify, etc. before you use 
them whether modified or as it is. 





List of installed PortSentry files in your system 


> /etc/logrotate.d/portsentry 

> /etc/portsentry 

> /etc/portsentry/portsentry.conf 

> /etc/portsentry/portsentry.ignore 

> /etc/portsentry/portsentry.modes 

> /ust/sbin/portsentry 

> /var/log/portsentry 

> /etc/rc.d/init.d/portsentry 

> /var/log/portsentry/portsentry.blocked 
> /var/log/portsentry/portsentry. history 
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16 Monitoring & System Integrity - Tripwire 
In this Chapter 


Compiling - Optimizing & Installing Tripwire 
Configuring Tripwire 

Securing Tripwire 

Tripwire Administrative Tools 
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Linux Tripwire 


Abstract 

Tripwire ASR 1.3.1 is the “Academic Source Release (ASR)” of Tripwire software. 
Personally, | prefer the 1.3.1 version of the software rather than the 2.2.1 version because it can 
be compiled and installed without any compatibility problems on most popular Unix based 
operating systems. 


Tripwire data and network integrity software was originally developed in 1992 at Purdue 
University by world-renowned computer security expert, Dr. Eugene Spafford, and by master's 
degree student, Gene Kim. The resulting academic source release (ASR) was quickly embraced 
by computer security experts and actively used by thousands of corporate, government, and 
educational organizations worldwide. 


As explained in the [Tripwire ASR goals]: 
With the advent of increasingly sophisticated and subtle account break-ins on Unix systems, the 
need for tools to aid in the detection of unauthorized modification of files becomes clear. 


Tripwire is a tool that aids system administrators and users in monitoring a designated set of 
files for any changes. Used with system files on a regular (e.g., daily) basis, Tripwire can notify 
system administrators of corrupted or tampered files, so damage control measures can be taken 
in a timely manner. 


Tripwire is a file and directory integrity checker, a utility that compares a designated set of files 
and directories against information stored in a previously generated database. Any differences 
are flagged and logged, including added or deleted entries. When run against system files on a 
regular basis, any changes in critical system files will be spotted -- and appropriate damage 
control measures can be taken immediately. With Tripwire, system administrators can 
conclude with a high degree of certainty that a given set of files remain free of unauthorized 
modifications if Tripwire reports no changes. 


These installation instructions assume 

Commands are Unix-compatible. 

The source path is /var/tmp (note that other paths are possible, as personal discretion). 
Installations were tested on Red Hat 7.1. 

All steps in the installation will happen using the super-user account “root”. 

Whether kernel recompilation may be required: No 

Latest Tripwire version number is 1.3.1-1 


Packages 
The following is based on information as listed by Tripwire as of 2001/03/25. Please regularly 
check at www.iripwire.com for the latest status. 


Source code is available from: 


Tripwire Homepage: http://www.tripwire.com/ 
You must be sure to download: Tripwire-1.3.1-1l.tar.gz 
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Pristine source 

If you don’t use the RPM package to install this program, it will be difficult for you to locate all 
installed files into the system in the eventuality of an updated in the future. To solve the problem, 
it is a good idea to make a list of files on the system before you install Tripwire, and one 
afterwards, and then compare them using the diff utility of Linux to find out what files are 
placed where. 


e Simply run the following command before installing the software: 
root@deep /root find /* > Tripwirel 


e And the following one after you install the software: 
root@deep /root find /* > Tripwire2 


e Then use the following command to get a list of what changed: 
root@deep /root diff Tripwirel Tripwire2 > Tripwire-Installed 

















With this procedure, if any upgrade appears, all you have to do is to read the generated list of 
what files were added or changed by the program and remove them manually from your system 
before installing the new software. Related to our example above, we use the /root directory of 
the system to stock all generated list files. 


Compiling - Optimizing & Installing Tripwire 

Below are the required steps that you must make to configure, compile and optimize the 
Tripwire software before installing it into your Linux system. First off, we install the program as 
user ‘root’ so as to avoid authorization problems. 


Step 1 
Once you get the program from the main software site you must copy it to the /var/tmp 
directory and change to this location before expanding the archive. 


e These procedures can be accomplished with the following commands: 
[root@deep /]# cp Tripwire-version.tar.gz /var/tmp/ 
[root@deep /]# cd /var/tmp/ 

[root@deep tmp]# tar xzpf Tripwire-version.tar.gz 


Step 2 

After that, move into the newly created Tripwire directory and modify some of its files as 
shown below to specify the installation paths, compilation and optimizations flags for your Linux 
system. 


e Tomove into the newly created Tripwire directory use the following command: 
[root@deep tmp]# ed tw_ASR_1.3.1_src/ 
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Step 2.1 
The first file we will work on it is named utils.c located under the source directory of 


Tripwire. 
e §6Editthe utils.cfile (vi +462 src/utils.c) and change the line 
else if (iscntrl(*pcin)) { 


To read: 


else if (!(*pcin & 0x80) && iscntrl(*pcin)) { 


Step 2.2 
The second file we must modify is the config.parse.c file. 


e Edit the config.parse.cfile (vi +356 src/config.parse.c) and change the line: 


rewind(fpout) ; 
return; 


To read: 


else { 
rewind (fpin) ; 
} 


return; 


Step 2.3 
The third file to modify is the config.h header file of Tripwire. Into this file, we will change the 


default location of different Tripwire directories files. 


e Edit the config.hfile (vi +106 include/config.h) and change all of the targeted 
lines in the order shown below: 





#define CONFIG _PATH "/usr/local/bin/tw" 
#define DATABASE PATH "/var/tripwire" 

To read: 

#define CONFIG PATH "/ete" 

#define DATABASE PATH "/var/spool/tripwire" 


vi +165 include/config.h and change the line: 




















#define TEMPFILE_TEMPLATE "/tmp/twzXXXXXX" 


To read: 


#define TEMPFILE_TEMPLATE "/var/tmp/ .twzXXXXXX" 
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Step 2.4 
The next file we must modify is the config.pre.y file of this program. 


e Edit the config.pre.y file (vi +66 src/config.pre.y) and change the line: 
#ifdef TW_LINUX 


To read: 


#ifdef TW_LINUX_UNDEF 


Step 2.5 

The last file to modify is the Makefile of Tripwire. The changes we make to this file is to add 
our optimization flags to speed up our Tripwire software and to change the default location of 
different Tripwire binaries and directories files. 


e =6Edit the Makefile file (vi +13 Makefile) and change all of the targeted lines in the 
order shown below: 








DESTDIR = /usr/local/bin/tw 
DATADIR = /var/tripwire 

To read: 

DESTDIR = /usr/sbin 

DATADIR = /var/spool/tripwire 
MANDIR = /usr/man 

To read: 

MANDIR = /usr/share/man 

LEX = lex 

To read: 

LEX = flex 

CFLAGS = -O 

To read: 

CFLAGS = -03 -march=i686 -mcpu=i686 -funroll-loops -—fomit—frame- 
pointer 








WARNING: Pay special attention to the compile CFLAGS line above. We optimize Tripwire for an 
i686 CPU architecture with the parameter “-march=i686 and -mcpu=i686”. Please don’t forget 
to adjust this CFLAGS line to reflect your own system and architecture. 
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Step 3 

Now, we must make a list of files on the system before you install the software, and one 
afterwards, then compare them using the diff utility to find out what files are placed where and 
finally install Tripwire in the server: 


root@deep tw_ASR_1.3.1l_srce make 

root@deep tw_ASR_1.3.1_sre cd 

root@deep /root]# find /* > Tripwirel 

root@deep /root]# ed /var/tmp/tw_ASR_1.3.1_src/ 

root@deep tw_ASR_1.3.1_srce make install 

root@deep tw_ASR_1.3.l1_sre chmod 700 /var/spool/tripwire/ 
root@deep tw_ASR_1.3.1_sre chmod 500 /usr/sbin/tripwire 
root@deep tw_ASR_1.3.1_srce chmod 500 /usr/sbin/siggen 
root@deep tw_ASR_1.3.1_sre mv /usr/sbin/tw.config /etc/ 
root@deep tw_ASR_1.3.1_srce strip /usr/sbin/tripwire 
root@deep tw_ASR_1.3.1_sre strip /usr/sbin/siggen 
root@deep tw_ASR_1.3.1_srce cd 

root@deep /root]# find /* > Tripwire2 

root@deep /root]# diff Tripwirel Tripwire2 > Tripwire-Installed 


3 
3 
3 
3 
3 
3 




















The above commands will configure the software to ensure your system has the necessary 
libraries to successfully compile the package, compile all source files into executable binaries, 
and then install the binaries and any supporting files into the appropriate locations. 


The chmod command will change the default permission mode of Tripwire directory to be 700 
(drwx------ ) only readable, writable, and executable by the super-user “root”. It will also make 
the binaries program /usr/sbin/tripwire and /usr/sbin/siggen only readable, and 
executable by the super-user “root” (-r-x------—). The mv command as used above will move 
the file tw. config under /usr/sbin to /etc directory and finally the strip command will 
reduce the size of the tripwire and siggen binaries to get the optimal performance of those 
programs. 


Step 4 

Once configuration, compilation, optimization and installation of the software have been finished, 
we can free up some disk space by deleting the program tar archive and the related source 
directory since they are no longer needed. 


e Todelete Tripwire and its related source directory, use the following commands: 
[root@deep /]# cd /var/tmp/ 
[root@deep tmp]# rm -rf tw_ASR_version/ 
[root@deep tmp]# rm -f Tripwire-version.tar.gz 


The rm command as used above will remove all the source files we have used to compile and 
install Tripwire. It will also remove the Tripwire compressed archive from the /var/tmp 
directory. 


Configuring Tripwire 
After building Tripwire, your next step is to verify or change, if necessary options in your 
Tripwire configuration files. Those files are: 


¥ /etc/tw.config (The Tripwire Configuration File) 
¥ /etc/cron.daily/Tripwire (The Tripwire Cron File) 
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/etc/tw.config: The Tripwire Configuration File 

The tw. config file is the Tripwire configuration file where you decide and set which system 
files and directories that you want monitored. Note that extensive testing and experience are 
necessary when editing this file before you get working file reports. The following is a working 
example from where you can start you own customization. We must create, edit or change it to fit 
our requirements and operating system. The text in bold are the parts of the configuration file that 
must be customized and adjusted to satisfy our needs. 


Step 1 

Edit the tw. config file (vi /etc/tw.config) and add into this file all the files and directories 
that you want monitored. The format of the configuration file is described in its header and in the 
manual page tw.config (5). Below is what we recommend: 


# Gerhard Mourani: gmourani@openna.com 
# last updated: 04/01/2001 


# First, root's "home" 
/root R 
!/root/.bash_history 

/ R 


# OS itself and critical boot resources 
/boot R 


# Critical directories and configuration files 
/bin 
/chroot 
/etc 
/1ib 
/sbin 


DDDWDD 


# Critical devices 
/dev/kmem 
/dev/mem 
/dev/null 
/dev/zero 
/proc/devices 
/proc/net 
/proc/tty 
/proc/sys 
/proc/cpuinfo 
/proc/mounts 
/proc/dma 
/proc/filesystems 
/proc/ide 
/proc/interrupts 
/proc/ioports 
/proc/scsi 
/proc/kcore 
/proc/self 
/proc/kmsg 
/proc/stat 
/proc/fs 
/proc/bus 
/proc/loadavg 
/proc/uptime 
/proc/locks 
/proc/version 
/proc/meminfo 
/proc/cmdline 
/proc/misc 


DDDDDDDDADDDDDDDDDDDDDDDDDDDDD 
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# Other popular filesystems 
/usr R 
/dev L-am 


# Truncate home 
=/home R 


# var tree 
=/var/spool 
/var/db 

/var/1lib 
/var/local 
!/var/lock 
/var/log 
/var/preserve 
/var/spool/cron 
/var/spool/mqueue 
/var/spool/mail 
/var/spool/tripwire 


# Unusual directories 
=/proc E 
=/tmp 

=/mnt/cdrom 


Step 2 
Now, for security reasons, change the mode of this file to be 0400. 


e This procedure can be accomplished with the following command: 
[root@deep /]# chmod 400 /etc/tw.config 


/etc/cron.daily/tripwire: The Tripwire Cron File 

The tripwire file is a small script executed automatically by the crond program of your server 
each day to scan your hard disk for possible changed files or directories and mail the results to 
the system administrator. This script will automate the procedure of integrity checking for you. If 
you intend to automate this task, follow the simple steps below. 


Step 1 

Create the tripwire script file (touch /etc/cron.daily/tripwire) and add the lines: 
#!/bin/sh 

/usr/sbin/tripwire -loosedir -q | (cat <<EOF 





This is an automated report of possible file integrity changes, generated by 
the Tripwire integrity checker. To tell Tripwire that a file or entire 
directory tree is valid, as root run: 


/usr/sbin/tripwire -update [pathname|entry] 


If you wish to enter an interactive integrity checking and verification 
session, as root run: 





/usr/sbin/tripwir interactiv 





Changed files/directories include: 

EOF 

cat 

) | /bin/mail -s "File integrity report" root 
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Step 2 
Now, make this script executable and change its permission mode to be 0700. 


e This procedure can be accomplished with the following command: 
[root@deep /]# chmod 700 /etc/cron.daily/tripwire 








NOTE: All the configuration files required for each software described in this book has been 
provided by us as a gzipped file, floppy-—2.0.tgz for your convenience. This can be 
downloaded from this web address: ftp://ftp.openna.com/ConfigFiles-v2.0/floppy-2.0.tgz. You can 
unpack this to any location on your local machine, say for example /var/tmp, assuming you 
have done this your directory structure will be /var/tmp/floppy-2.0. Within this floppy 
directory each configuration file has its own directory for respective software. You can either cut 
and paste this directly if you are faithfully following our instructions from the beginning or 
manually edit these to modify to your needs. This facility is there though as a convenience but 
please don't forget ultimately it will be your responsibility to check, verify, etc. before you use 
them whether modified or as it is. 





Securing Tripwire 

It is recommended that the database (tw. db_[hostname]) file of Tripwire be moved 
someplace (e.g. floppy) where it cannot be modified. This is important because data from 
Tripwire is only as trustworthy as its database. 


It is also recommend that you make a hardcopy printout of the database contents right away. In 
the event that you become suspicious of the integrity of the database, you will be able to 
manually compare information against this hardcopy. 


Further documentation 
For more details, there are several manual pages you can read: 


S$ man siggen (8) - Signature generation routine for Tripwire 
$ man tripwire (8) - A file integrity checker for UNIX systems 
$ man tw.config (5) - Configuration file for Tripwire 


Tripwire Administrative Tools 
The commands listed below are some of the most used of this software, but many more exist. 
Check the Tripwire manual pages for more details. 


Running Tripwire in Interactive Checking Mode 

In “Interactive Checking Mode” feature, Tripwire verifies files or directories that have been 
added, deleted, or changed from the original database and asks the user whether the database 
entry should be updated. This mode is the most convenient way of keeping your database up-to- 
date, but it requires that the user be "at the console". If you intend to use this mode, then follow 
the simple steps below. 
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Step 1 

Tripwire must have a database to compare against, so we first create the file information 
database. This action will create a file called “tw.db_[hostname]” in the directory you specified 
to hold your databases (where [hostname] will be replaced with your machine hostname). 


e Tocreate the file information database for Tripwire, use the following command: 
[root@deep /]# cd /var/spool/tripwire/ 
[root@deep tripwire]# /usr/sbin/tripwire -initialize 
Tripwire(tm) ASR (Academic Source Release) 1.3.1 
File Integrity Assessment Software 
(c) 1992, Purdue Research Foundation, (c) 1997, 1999 Tripwire 
Security Systems, Inc. All Rights Reserved. Use Restricted to 
Authorized Licensees. 





### Warning: creating ./databases directory! 
HHH 

### Phase 1: Reading configuration file 

### Phase 2: Generating file list 

### Phase 3: Creating file information database 


We move to the directory we specified to hold our database, and then we create the file 
information database, which is used for all subsequent Integrity Checking. This command is used 
only one time to create the information database of all files and directories that must be checked 
by the program. Once your information database is created you don’t have to retype this 
command again. 


Step 2 

Once the file information database of Tripwire has been created, we can now run Tripwire in 
“Interactive Checking Mode”. This mode will prompt the user for whether or not each changed 
entry on the system should be updated to reflect the current state of the file. 


e Torun Tripwire in Interactive Checking Mode, use the following command: 
root@deep /]# cd /var/spool/tripwire/database/ 

root@deep database]# cp tw.db_myserverhostname /var/spool/tripwire/ 
root@deep database]# ed 

root@deep tripwire]# /usr/sbin/tripwire --interactive 

[Tripwire(tm) ASR (Academic Source Release) 1.3.1 

File Integrity Assessment Software 

c) 1992, Purdue Research Foundation, (c) 1997, 1999 Tripwire 
Security Systems, Inc. All Rights Reserved. Use Restricted to 
Authorized Licensees. 


























Phase 1: Reading configuration file 
Phase 2: Generating file list 
Phase 3: Creating file information database 
Phase 4: Searching for inconsistencies 
Total files scanned: 15722 
Files added: 34 
Files deleted: 42 
Files changed: 321: 
Total file violations: 397 
added: rwx root 22706 Dec 31 06:25:02 1999 
/root/tmp/firewall 


---> File: '/root/tmp/firewall' 
—--> Update entry? [YN (y)nh?] 
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NOTE: In interactive mode, Tripwire first reports all added, deleted, and changed files, then 
allows the user to update the entry in the database. 





Running Tripwire in Database Update Mode 

Running Tripwire in “Database Update Mode” mixed with the tripwire.verify script file 
that mails the results to the system administrator will reduce the time of scanning the system. 
Instead of running Tripwire in “Interactive Checking Mode” and waiting for the long scan to 
finish, the script file tripwire.verify will scan the system and report via mail the result, then 
you run Tripwire in “Database Update Mode” and update only single files or directories that 
have changed (if needed). 


As an example: 
If a single file has changed, you can: 


[root@deep /]# tripwire -update /etc/newly.installed.file 


Or, if an entire set of files or directories has changed, you can run: 


[root@deep /]# tripwire -update /usr/lib/Package_Dir 


In either case, Tripwire regenerates the database entries for every specified file. A backup of 
the old database is created in the . /databases directory. 


Some possible uses of Tripwire software 
Tripwire can be used to: 


1. Check the integrity of your files system. 
2. Geta list of new installed or removed files on your system. 


List of installed Tripwire files on your system 


> /etc/tw.config 

> /usr/sbin/tripwire 

> /usr/sbin/siggen 

> /usr/share/man/man5/tw.config.5 
> /ust/share/man/man8/siggen.8 

> /ust/share/man/man8/tripwire.8 
> /var/spool/tripwire 

> /var/spool/tripwire/tw.dbo_TEST 
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17 Monitoring & System Integrity - xinetd 
In this Chapter 


Compiling - Optimizing & Installing Xinetd 
Configuring Xinetd 
Securing Xinetd 
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Linux Xinetd - The Super Servers 


Abstract 

Xinetd is a secure, powerful and efficient replacement for the old Internet services daemons 
named inetd and tcp_wrappers (inetd does not provide effective resource management. It 
will happily use up all your memory if you are running a popular service. It is unreliable under high 
loads and will cuts off service for 10 minutes if it receives too many connections in 1 minute). This 
security tool can control denial-of-access attacks by providing access control mechanisms for all 
services based on the address of the remote client that want to connect to the server as well as 
the ability to make services available based on time of access, extensive logging, and the ability 
to bind services to specific interfaces. 


But wait, Xinetd is NOT efficient or adequate for all services, and especially for services like 
FTP and SSH. It is far better to run these services as standalone daemons. Loading the FTP or 
SSH daemons, as standalone daemons will eliminate load time and will even reduce swapping 
since non-library code will be shared. Also FTP and SSH have very good access control 
mechanisms, therefore, don’t think that if you run these services through Xinetd you will gain 
security. 


A few security features of Xinetd are: 


Provide access control mechanisms 

Prevent denial of service attacks 

Extensive logging abilities 

Offload services to a remote host 

Make services available based on time 

Limits on the number of servers that can be started 
IPv6 support 

User interaction 


LEAK SSA 


These installation instructions assume 

Commands are Unix-compatible. 

The source path is /var/tmp (note that other paths are possible, as personal discretion). 
Installations were tested on Red Hat 7.1. 

All steps in the installation will happen using the super-user account “root”. 

Whether kernel recompilation may be required: No 

Latest Xinetd version number is 2.1.8.9pre15 


Packages 
The following are based on information as listed by Xinetd as of 2001/05/20. Please regularly 
check at www.xinetd.org for the latest status. 


Pristine source code is available from: 


Xinetd Homepage: http://www. xinetd.org/ 
You must be sure to download: xinetd-2.1.8.9prel5.tar.gz 
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Pristine source 

If you don’t use the RPM package to install this program, it will be difficult for you to locate all 
installed files into the system in the eventuality of an updated in the future. To solve the problem, 
it is a good idea to make a list of files on the system before you install Xinetd, and one 
afterwards, and then compare them using the diff utility of Linux to find out what files are 
placed where. 


e Simply run the following command before installing the software: 
root@deep /root find /* > Xinetdl 


e And the following one after you install the software: 
root@deep /root find /* > Xinetd2 


e Then use the following command to get a list of what changed: 
root@deep /root diff Xinetdl Xinetd2 > Xinetd-Installed 

















With this procedure, if any upgrade appears, all you have to do is to read the generated list of 
what files were added or changed by the program and remove them manually from your system 
before installing the new software. Related to our example above, we use the /root directory of 
the system to stock all generated list files. 


Compiling - Optimizing & Installing xinetd 

Below are the required steps that you must make to configure, compile and optimize the Xinetd 
software before installing it into your Linux system. First off, we install the program as user ‘root’ 
so as to avoid authorization problems. 


Step 1 
Once you get the program from the main software site you must copy it to the /var/tmp 
directory and change to this location before expanding the archive. 


e These procedures can be accomplished with the following commands: 
[root@deep /]# cp xinetd-version.tar.gz /var/tmp/ 
[root@deep /]# cd /var/tmp/ 

[root@deep tmp]# tar xzpf xinetd-version.tar.gz 


Step 2 
After that, move into the newly created Xinetd directory then configure and optimize it. 


e Tomove into the newly created Xinetd directory use the following command: 
[root@deep tmp]# cd xinetd-2.1.8.9pre15/ 


e Toconfigure and optimize Xinetd use the following compile lines: 
CFLAGS="-03 -march=i686 -mcpu=i686 —-funroll-loops” \ 
./configure \ 

--prefix=/usr \ 
--sysconfdir=/etc \ 
--with-loadavg \ 
--mandir=/usr/share/man 


This tells Xinetd to set itself up for this particular hardware with: 


- ‘--with-loadavg’ allows to deactivate some services when the machine is overloaded. 
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WARNING: Pay special attention to the compile CFLAGS line above. We optimize Xinetd for an 
i686 CPU architecture with the parameter “-march=i686 and —-mcpu=i686”. Please don’t forget 
to adjust this CFLAGS line to reflect your own system and CPU architecture. 


The “-fomit frame pointer’ flag is an optimization dealing with the stack and cannot be 
used with Xinetd. This is the reason why we don't use it here. 





Step 3 

Now, we must make a list of files on the system before you install the software, and one 
afterwards, then compare them using the diff utility to find out what files are placed where and 
finally install Xinetd in the server: 


root@deep xinetd-2.1.8.9prel15 make 

root@deep xinetd-2.1.8.9prel15 cd 

root@deep /root]# find /* > Xinetdl 

root@deep /root]# cd /var/tmp/xinetd-2.1.8.9pre15/ 
root@deep xinetd-2.1.8.9prel15 make install 

root@deep xinetd-2.1.8.9prel15 rm -f£ /usr/sbin/itox 
root@deep xinetd-2.1.8.9pre15 rm -£ /usr/share/man/man8/itox.8 
root@deep xinetd-2.1.8.9pre15 strip /usr/sbin/xinetd 
root@deep xinetd-2.1.8.9prel15 cd 

root@deep /root]# find /* > Xinetd2 

root@deep /root]# diff Xinetdl Xinetd2 > Xinetd-Installed 

















The above commands will configure the software to ensure your system has the necessary 
libraries to successfully compile the package, compile all source files into executable binaries, 
and then install the binaries and any supporting files into the appropriate locations. 


Take special attention to the rm command, we use it to remove itox binary and itox.8 manual 
page from the system because this utility is now replaced by xconv.p1 perl script. The strip 
command will reduce the size of the xinetd binary program and will make it faster again. 


Step 4 

Once compilation, optimization and installation of the software have been finished, we can free up 
some disk space by deleting the program tar archive and the related source directory since they 
are no longer needed. 


e Todelete Xinetd and its related source directory, use the following commands: 
[root@deep /]# cd /var/tmp/ 
[root@deep tmp]# rm -rf xinetd-version/ 
[root@deep tmp]# rm -f xinetd-version.tar.gz 


The rm command as used above will remove all the source files we have used to compile and 
install Xinetd. It will also remove the Xinetd compressed archive from the /var/tmp directory. 
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Step 5 

One last thing to do is to remove /etc/hosts.allow and /etc/hosts.deny files (if this is not 
been done already) from your system. Yes, you can remove them safety, those files are related 
to TCP WRAPPERS program, which is not installed anymore the system because Xinetd does 
the same job better and can run well without it. The files hosts.allow and hosts.deny are 
installed by other Linux RPM packages during install. So we can remove them with the following 
commands. 





e Todelete hosts.allowand hosts.deny files from your system, use the commands: 
[root@deep /]# rm -£ /etc/hosts.allow 
[root@deep /]# rm -£ /etc/hosts.deny 


Configuring Xinetd 
After building Xinetd, your next step is to verify or change, if necessary options in your Xinetd 
configuration files. Those files are: 


¥ /etc/xinetd.conf (The Xinetd Configuration File) 
¥  /etc/re.d/init.d/xinetd (The Xinetd Initialization File) 


/etc/xinetd.conf: The xinetd Configuration File 

The xinetd.conf file which determines the services provided by xinetd. It basically contains 
a list of IP services to listen to and tells xinetd daemon (also known as the super-servers) which 
ports to listen to. related by those listed in its configuration file, and what server to start for each 
port among other things. When it receives a connection on a port it checks to see if ithas a 
service for it, and if services exist, then it attempts to start the appropriate server. The first thing to 
look at as soon as you put your Linux system on ANY network is what Xinetd services you need 
to offer and enable via the configuration file /etc/xinetd.conf. 


Below are some of the default services handled by this secure and powerful program, that you 
can run through its configuration file. For easy interpretation, we have separated them by group 
related to their nature. 


Group 1: BSD services Group 5: Internal services 


¥Y login ¥Y echo 
¥Y shell ¥Y  chargen 
¥Y exec ¥Y daytime 
¥Y  comsat ¥ time 
¥Y talk ¥Y servers 
¥Y ntalk ¥Y services 
Group 2: Standard Internet services Group 6: RPC services 
¥ telnet ¥Y rstatd 
¥ ftp ¥Y  rquotad 
¥Y  rusersd 
Group 3: Other services Ys sprayd 
¥Y name ¥Y walld 
¥Y  uucp 
¥Y tftp Group 7: User Mail Agent services 
Group 4: Information services ¥Y imap 
¥Y finger ¥  imaps 
Ys systat ¥Y  pop2 
¥Y netstat ¥Y  pop3 
¥Y pop3s 
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As you can imagine, for a secure server, most of the group services, which are available through 
Xinetd, are insecure by their nature and must be disabled if you don’t use them. Of course 
Xinetd exists because those services are insecure. It tries to make more secure by having 
control of them, but since we don’t use many of those risky services it is better to have a program 
that can monitor and control the ones we may need, such as IMAP or POP and exclude all of the 
rest. In this manner, we can be reassured that even the small amount of services that we could 
offer are monitored, controlled, logged, etc and stay in our control. It is important to note that, 
services, which you do not need to offer, should be uninstalled so that you have one less thing to 
worry about, and attackers have one less place to look for a hole. 


Understanding /etc/xinetd.conf 

OK, now it is time to talk and understand a bit more about the format of the /etc/xinetd.conf 
file. The services listed in xinetd. conf can be separated into two major sections which are 
called the “defaults section” and the “services sections”. Below is an explanation and 
configuration of each one: 


The defaults section of Xinetd configuration file: 

The defaults section, as its name implies, states default settings for the services specified 
elsewhere in the file (attributes in this section will be used by every service Xinetd manages). 
The defaults section can contain a number of attributes as shown below (each attribute 
defined in this section keeps the provided value(s) for all the next described services). There can 
be only one defaults sectionina xinetd.conf file. Here, are the most important attributes 
inthe default section of your xinetd.conf file for maximum security; a complete listing 
and/or special requirements are available in the man page for xinetd (8) and xinetd.conf 
(5) and it is preferable to not talk about all of them to keep this tutorial as simple as possible. 


If you need some special services that are not described here to run through Xinetd, refer to the 
appropriate manual page, in this manner you will have the opportunity to become familiar with the 
software and to add new or needed services when time will arrive. From now, we must create, 
check or change the default one to fit our requirements and operating system. The text in bold are 
the parts of the configuration file that must be customized and adjusted to meet our needs. 


e Create the xinetd.conf file (touch /etc/xinetd.conf) and set your needs for the 
default section of this file. Below is just an example: 


defaults 

{ 
instances = 60 
log_type = SYSLOG authpriv 
log_on_success = HOST PID 
log_on_failure = HOST 
only from = 
per_source =5 


enabled pop3s imaps 


} 


This tells the default section of xinetd.conf file to set itself up for this particular 
configuration with: 
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instance = 60 

The option instance specifies the maximum number of requests that can be simultaneously 
active for a service. It also says that for any service that doesn't specify it's own instances 
attribute, that service will be limited to 60 connections. The special value "UNLIMITED" can by 
used to specify an unlimited number of connections. This attribute will protect from Denial of 
Service (DoS) attacks. 





log_type = SYSLOG authpriv 

The option log_type specifies the log type formats you want to use (you may choose FILE or 
SYSLOG) to capture the output service generated by the program. For the FILE log type, this 
means the full path to the log file, and for the SySLOG log type, the syslog facility of the system. 








log_on_success = HOST PID 

The option log_on_success specifies what is to be logged when a server is started. This 
attribute accepts five different values: PID (log of the pid xinetd uses to spawn the server), 
HOST (to logs the remote host's IP address), USERID (to logs the userid of the remote user as 
returned by remote identd daemon service if available), EXIT (logs the exit status of the server 
when it exits), and DURATION (logs the duration of the server session). 








log_on_failure = HOST 

The option log_on_failure specifies what is to be logged when either the server could not be 
started due to lack of resources, or access was denied via the rules in the configuration file. This 
attribute accepts four valid values: HOST (to logs the remote host's IP address), USERID (to logs 
the userid of the remote user as returned by remote identd daemon service if available), 
ATTEMPT (to acknowledge that a failed attempt was made), and RECORD (to grabs as much info 
as is possible about the remote end). 











only_from = 

This attribute only _from specifies which remote hosts are allowed to connect to the server and 
use this service. By default denying access to every one, is the first step of a reliable security 
policy. Not giving a value to this attribute makes every connection fail. This is the same principle 
as for the IPTABLES Firewall rules. In our example we deny access to all connection then, allows 
access by means of this same attribute for specific service under the services sections of 
Xinetd. Other combination for the value of "only_from" attribute exists; please consult the 
manual page xinetd.conf (5) for more information. 





per_source = 5 

The option per_source specifies the maximum number of connections a specific remote IP 
address can have to a specific local service. It can either be an integer, or the special value 
"UNLIMITED" for an unlimited number of connections. This attribute will protect from Denial of 
Service (DoS) attacks. 





enabled = pop3s imaps 

The option enabled takes a list of service names to enable with the super-server. The most 
interesting part is that it will enable only the services listed as arguments to this attribute and the 
rest will be disabled. Each service names you add to this attribute line can be listed and setup in 
the services sections of the Xinetd configuration file. If you forget to add the service names 
you want to run through xinetd to the attribute “enabled”, then this service name will not work 
even if you add its required configuration lines in the services sections, therefore don’t forget 
to check for the existence of this attribute line (enabled) and set all services you want to be 
available with Xinetd for filtering (in our example we only enable at this time service pop3s and 
imaps). 
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The services sections of Xinetd configuration file: 

Now the default section attributes are complete, we'll move on to the service sections. 
Contrary to the default section, the services sections defines individual services to be 
started by the Xinetd daemon and how they'll be started. This is important to note, if the service 
names we want to offer and enable via the xinetd configuration file are not specified in the 
“enabled” attribute line of the previous default section, (see the default section of 
Xinetd configuration file for more information) then they are considered to be disabled by default 
and we don’t need to worry about them. 


The services sections have a number of attributes that can be specified, most are required 
and are the same for all available services, others are optional or are a security feature and 
depends on what services you want to run and include in your xinetd.conf file. Below we will 
show you different configuration options for pop3s, time, chargen, echo, daytime, and 
imaps services. In this way you will have a good idea of specific parameters available for 
different services, which can run through Xinetd and how to play with them. 


If you remember, we said at the beginning of this tutorial that we don’t need to install TcP 
WRAPPER anymore with Xinetd on Linux. TCP WRAPPER is a program that controls who can or 
cannot log in to the server and from where. Contrary to its predecessor (inetd), Xinetd has two 
powerful features already built on it, which allow you to have the same and even better control as 
the TCP WRAPPER program could offer you. 











The first feature is named “only_from’, this attribute with its list of IP addresses determines the 
remote host to which the particular service is available. 


The second attribute is named “no_access” and determines the remote hosts to which the 
particular service is unavailable. 


The use of these two attributes can determine the location access control enforced by Xinetd. 
One very interesting part of these two attributes is the possibility to build a very restrictive but 
flexible access control program. 


For each service, we must check or change the default one to fit our requirements and operating 
system. The text in bold are the parts of the configuration file that must be customized and 
adjusted to satisfy your needs. 


For pop3s service: 

e Edit the xinetd.conf file(vi /etc/xinetd.conf) and set your needs under the 
services sections of this file. The first thing you'll probably notice here are that 
contrary to the old inetd software, the services sections are now split into individual 
service configurations. Below is just an example for an pop3s service: 


service pop3s 


{ 


socket_type stream 

wait no 

user root 

server /usr/sbin/ipop3d 


only from 
no_access 


0.0.0.0/0 #allows every client 
207.35.78.10 


V+t+eniuunuwnud 
WwW 
oO 


instances 

log_on_success = USERID 
log_on_failure = USERID 
nice -2 
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This tells the services sections of xinetd.conf file to set itself up for this particular 
configuration with: 


service pop3s 

The option service specifies a unique name for the service you wish to configure. This name is 
what the program uses to look up the service information in the /etc/services file. Be aware 
that you cannot use any name you want to set this attribute, protocols exist for this purpose and if 
you don’t know exactly the correct name to use to enable your needed services, then edit the 
/etc/services file and look inside it for the appropriate name for your requirements. 


socket_type = stream 

The option socket_type specifies the type of socket to be used for the specific service. The 
available values are: “stream”, “dgram”, “raw”, “rdm’”, or “seqpacket”, depending on whether 
the socket is a stream, datagram, raw, reliably delivered message, or sequenced packet socket. 
For pop3s service we must choose and set this attribute to the value “st ream’. 





wait = no 

The option wait specifies if a datagram server connected to its peer allows the xinetd daemon 
to receive further messages on the socket or not. If the answer is yes (xinetd can receive 
further messages on the socket with this program) then this program should use the “nowait” 
entry and we will set the value of wait to no to indicate the “nowait” entry. This is the default for 
most services under Xinetd. 


user = root 

The option user contains the user name of the user the server should run as. Usually this value 
is set and uses the super-user account named “root” but it is preferable to verify the software you 
want to run through Xinetd if other values are possible for better security. 


server = /usr/sbin/ipop3d 
The option server contains the pathname of the program, which is to be executed by xinetd 
when a request is found on its socket. 


only_from = 0.0.0.0/0 

This attribute only _from specifies which remote hosts are allowed to connect to the server and 
use this service. By default we have denied access to everyone in the default section of Xinetd, 
therefore we must allow access for the specific service in question in this section of the 
configuration file. For a public mail server that runs IMAP or POP server it is important to set the 
value of this line to 0.0.0.0/0 in your configuration since connections can come from different 
places. 


no_access = 207.35.78.10 

The attribute no_access specifies which remote hosts are not allowed to connect to the server 
and use this service. In our example, we don’t allow the machine with IP address of 207.35.78.10 
to connect with pop3s. As you can see, the combination of both attributes (only_from and 
no_access) allows us to tie and have a full control of what can pass through our network. 


instance = 30 

As noted in the previous defaults section, the option instance specifies the maximum 
number of requests any service may handle at one once. Setting this attribute in the service 
definition should override whatever is in the defaults section (instance = 60). 
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log_on_success += USERID 

As noted in the previous defaults section, the option log_on_success specifies what is to 
be logged when a server is started. For a pop3s connection we choose to log the userid of the 
remote user as returned by remote identd daemon service if available (USERID). Take a special 
note to the assignment operator in this case ‘+=’ which means to add the value to the set. 





log_on_failure += USERID 

As noted in the previous defaults section, the option log_on_failure specifies what is to 
be logged when either the server could not be started due to lack of resources, or access was 
denied via the rules in the configuration file. For an pop3s connection we choose to log the 
userid of the remote user as returned by remote identd daemon service if available. 





nice = -2 

The option nice specifies the services process priority of Unix by modifying the default 
scheduling priority of the process. The default priority for a normal program, like pop3, is 10 and 
is related to nice man (1) the range goes from -20 (highest priority) to 19 (lowest). By 
increasing the priority of the pop3s process the connection time will be faster. This hack can by 
applied to any other processes running on Unix, see the manual page about the command nice 


(1) for more information in this feature. 


For time service: 


e Edit the xinetd.conf file(vi /etc/xinetd.conf) and set your needs under the 
services sections Of this file. Below is just an example for a time server service 
which is used by the rdate program: 


# description: An RFC 868 
# version, 


service time 

{ 
socket_type 
wait 
user 
type 
id 
protocol 
only from 
no_access 


} 


# description: An RFC 868 
# version. 


service time 

{ 
socket_type 
wait 
user 
type 
id 
protocol 
only from 
no_access 
port 


time server. This is the tcp \ 


which is used by rdate. 


stream 

no 

root 

INTERNAL 

time-stream 

tcp 

207.35.78.0/24 192.168.1.0/24 
207.35.78.10 


time server. This is the udp \ 


dgram 

yes 

root 

INTERNAL 

time-dgram 

udp 

207.35.78.0/24 192.168.1.0/24 
207.35.78.10 

37 
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This tells the services sections Of xinetd.conf file to set itself up for this particular 
configuration with: 





socket_type = stream and socket_type = dgram 

As described previously, the option socket_type specifies the type of socket to be used for the 
specific service. The available values are: “st ream’, “dgram’, “raw”, “rdm’, or “seqpacket”, 
depending on whether the socket is a stream, datagram, raw, reliably delivered message, or 
sequenced packet socket. For t ime service we must choose “st ream” for TCP connection and 
“dgram’ for UDP connection. 


wait = no and wait = yes 

As described previously, the option wait specifies if a datagram server connected to its peer 
allow xinetd daemon to receive further messages on the socket or not. If the answer is yes 
(xinetd can receive further message on the socket with this program) then this program should 
use the “nowait” entry and we will set the value of wait to no to indicate the “nowait” entry. It 
important to note that UDP protocol in its nature do not allow peer daemon to receive further 
message and it is for the reason that we set the wait attribute for UDP version of the time 
server to yes (xinetd cannot receive further message on the socket with this program). 





type = INTERNAL 

Well, here we see a new attribute; the option t ype specifies the type of service. The available 
values are: “RPC”, “INTERNAL”, and “UNLISTED”, depending on whether the specific program is 
an RPC service (type = RPC), or aservice provided by Xinetd (type = INTERNAL) or if itis 
a service not listed in a standard system file like /etc/rpc for RPC services, or 
/etc/services for non-RPC services (type = UNLISTED). Inourcase time server is 


provided by xinetd. 

















id = time-stream and id = time-dgram 

Ok, here is another new attribute; By default with xinetd the attribute id is the same as the 
service name, but some time (as in our example time server) there exist same services that 
can use different protocols (TCP or UDP) and need to be described with different entries in the 
configuration file for Xinetd be able to distinguish them. With this attribute (id), we can uniquely 
identify a same service, which use different protocol of communication like TCP and UDP. 


protocol = tcp and protocol = udp 

We continue our discovery with the new attribute named “protocol”, this option determines the 
type of protocol that is employed by the specific service. In our example time server use TCP 
and UDP protocol and we specify those information with the “protocol” attribute of Xinetd. 


only_from = 207.35.78.0/24 192.168.1.0/24 

The attribute only_from specifies which remote hosts are allowed to connect to the server and 
use this service. By default we have denied access to everyone in the default section of Xinetd, 
therefore we must allow access for the specific service in question in this section of the 
configuration file of Xinetd. In our example we allow all machines under the 207.35.78.0 and 
192.168.1.0 IP addresses class range to connect with time server. 


no_access = 207.35.78.10 

The attribute no_access specifies which remote hosts are not allowed to connect to the server 

and use this service. In our example we don’t allow the machine with IP address of 207.35.78.10 
under the 207.35.78.0 IP addresses class range to connect with time server. AS you Can see, 
the combination of both attributes (only_from and no_access) allows us to tie and have a full 
control of what can pass through our network. 
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Sometimes, and especially with the UDP protocol, it is preferable to specify to the program on 
which port we want the connection to be established. This option “port” makes it possible by 


determining the service port. 


For chargen service: 


e Edit the xinetd.conf file(vi /etc/xinetd.conf) and set your needs under the 
services sections Of this file. Below is just an example for a chargen service: 


# description: A chargen server. This is the tcp \ 


# version. 


service chargen 

{ 
socket_type 
wait 
user 
type 
id 
protocol 
only from 
no_access 


} 


stream 

no 

root 

INTERNAL 

chargen-stream 

tcp 

207.35.78.0/24 192.168.1.0/24 
207.35.78.10 


# description: A chargen server. This is the udp \ 


# version. 


service chargen-udp 
{ 
socket_type 
wait 
user 
type 
id 
protocol 
only from 
no_access 
port 
} 


dgram 

yes 

root 

INTERNAL 

chargen-dgram 

udp 

207.35.78.0/24 192.168.1.0/24 
207.35.78.10 

19 


Here, you are supposed to know and understand every attribute as shown above. If you have 
problems, then refer to the previous time server configuration parameters for more information. 


For echo service: 


e Edit the xinetd.conf file(vi /etc/xinetd.conf) and set your needs under the 
services sections Of this file. Below is just an example for an echo service: 


# description: An echo server. This is the tcp \ 


# version. 


service echo 

{ 
socket_type 
wait 
user 
type 
id 
protocol 


stream 

no 

root 
INTERNAL 
echo-stream 
tcp 
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207.35.78.0/24 192.168.1.0/24 
207.35.78.10 


# description: An echo server. This is the udp \ 


# version. 


service echo-udp 
{ 
socket_type 
wait 
user 
type 
id 
protocol 
only from 
no_access 
port 


For daytime service: 


= dgram 


yes 
root 

INTERNAL 

echo-dgram 

udp 

207.35.78.0/24 192.168.1.0/24 
207.35.78.10 

7 


e Edit the xinetd.conf file(vi /etc/xinetd.conf) and set your needs under the 
services sections Of this file. Below is just an example for a daytime service: 


# description: A daytime server. This is the tcp \ 


# version. 


service daytime 

{ 
socket_type 
wait 
user 
type 
id 
protocol 
only from 
no_access 


} 


stream 

no 

root 

INTERNAL 

daytime-stream 

tcp 

207.35.78.0/24 192.168.1.0/24 
207.35.78.10 


# description: A daytime server. This is the udp \ 


# version. 


service daytime-udp 
{ 
socket_type 
wait 
user 
type 
id 
protocol 
only from 
no_access 
port 


dgram 

yes 

root 

INTERNAL 

daytime-dgram 

udp 

207.35.78.0/24 192.168.1.0/24 
207.35.78.10 

13 
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For imaps service: 

At this stage of your reading, you know the most important attributes and values for Xinetd but 
be aware that many others exist, like the “redirect” attribute, which allows a TCP service to be 
redirected to another host in your network. This option is useful when your internal machines are 
not visible to the outside world and you want to connect to it outside the network. The “bind” 
attribute is another one, which allows a service to be bound to a specific interface of your choice 
on the server for maximum security. 


e 6Edit the xinetd.conf file(vi /etc/xinetd.conf) and set your needs under the 
services sections Of this file. Below is just an example for an imaps service: 


service imaps 


{ 


socket_type stream 

wait no 

user root 

server /usr/sbin/imapd 


0.0.0.0/0 #allows every client 
207.35.78.10 


only from 
no_access 


instances 30 
log_on_success += DURATION USERID 
log_on_failure += USERID 

nice = -2 

redirect = 192.168.1.14 993 
bind = 207.35.78.3 


} 


This tells the services sections of xinetd.conf file to set itself up for this particular 
configuration with: 


redirect = 192.168.1.14 993 

The attribute redirect allows a TCP service received on the specified port (in our example the 
port 993) to be redirected to another host (192.168.1.14) by forwarding all data between the two 
hosts. 


bind = 207.35.78.3 

The attribute bind allows a service of your choice to be bound to a specific interface on the 
server. In our case imaps service is bound to the interface 207.35.78.3. Therefore, if someone 
from the allowed hosts tries to bind to another interface on the server, then Xinetd will refuse 
the connection. This is a security feature. 


Sample /etc/xinetd.conf: The Xinetd Configuration File 

All of the interesting options we’ve shown you previously can easily be applied to the majority of 
services you want to run. Now, it is up to you and only you to decide how to mix and apply these 
attributes features to fit you personal configuration and needs. Below we show you a sample 
xinetd.conf file that you can use to begin with a secure server. 


e Edit the xinetd.conf file (vi /etc/xinetd.conf) and set your needs. Below is 
what we recommend you to enable at this time: 


defaults 

{ 
instances = 60 
log_type = SYSLOG authpriv 
log_on_success = HOST PID 
log_on_failure = HOST 
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only from = 
per_source =5 
enabled pop3s imaps 








NOTE: More service examples exist under the subdirectory named xinetd of the Xinetd source 
archive. Check for file with name like sample. conf into this subdirectory (xinetd) if you need 
services, which are not explained in this tutorial. 





/etc/re.d/init.d/xinetd: The Xinetd Initialization File 
The /etc/rc.d/init.d/xinetd script file is responsible to automatically start and stop the 
Xinetd daemon on your server. 


Step 1 
Create the xinetd script file (touch /etc/rc.d/init.d/xinetd) and add the following lines 
inside it: 


! /bin/sh 
xinetd This starts and stops xinetd. 


chkconfig: 345 50 50 

description: xinetd is a powerful replacement for inetd. \ 
xinetd has access control machanisms, extensive \ 
logging capabilities, the ability to make services \ 
available based on time, and can place \ 
limits on the number of servers that can be started, \ 
among other things. 








processname: /usr/sbin/xinetd 
config: /etc/sysconfig/network 
config: /etc/xinetd.conf 
pidfile: /var/run/xinetd.pid 








PATH=/sbin:/bin:/usr/bin:/usr/sbin 


Source function library. 
/etc/init.d/functions 


Get config. 
test -f /etc/sysconfig/network && . /etc/sysconfig/network 


Check that networking is up. 














S{NETWORKING} = "yes" ] || exit 0 
-f£ /usr/sbin/xinetd ] || exit 1 
-f /etc/xinetd.conf ] || exit 1 
RETVAL=0 
start (){ 


echo -n "Starting xinetd: " 

daemon xinetd -reus pidfile /var/run/xinetd.pid 
RETVAL=$? 

echo 

touch /var/lock/subsys/xinetd 

return SRETVAL 
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stop () { 
echo -n "Stopping xinetd: " 
killproc xinetd 
RETVAL=$? 
echo 
rm -f /var/lock/subsys/xinetd 
return SRETVAL 








} 


reload() { 
echo -n "Reloading configuration: " 
killproc xinetd -USR2 
RETVAL=$? 
echo 
return SRETVAL 








condrestart () { 
[ -e /var/lock/subsys/xinetd ] && restart 
return 0 





# S how we were called. 
case "S1" in 
start) 
start 
a 
stop) 
stop 
a 
status) 
status xinetd 
a 
restart) 
restart 
a 
reload) 
reload 
tr 
condrestart) 
condrestart 
a 
*) 
echo "Usage: xinetd {start|stop|status|restart|condrestart|reload}" 
RETVAL=1 





esac 


exit SRETVAL 
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Step 2 

Once the xinetd script file has been created, it is important to make it executable, change its 
default permissions, create the necessary links and start it. Making this file executable will allow 
the system to run it, changing its default permission is to allow only the root user to change this 
file for security reasons, and the creation of symbolic links will let the processes that control the 
initialization of Linux, which is in charge of starting all the normal and authorized processes that 
need to run at boot time on your system, to start the program automatically for you at each boot. 


e To make this script executable and to change its default permissions, use the command: 
root@deep / chmod 700 /etc/re.d/init.d/xinetd 
root@deep / chown 0.0 /etc/re.d/init.d/xinetd 


e Tocreate the symbolic rc.d links for Xinetd, use the following command: 
root@deep / chkconfig --add xinetd 
root@deep / chkconfig --level 345 xinetd on 





e Tostart Xinetd software manually, use the following command: 
root@deep / /etc/re.d/init.d/xinetd start 
Starting xinetd: [OK] 

















NOTE: All the configuration files required for each software described in this book has been 
provided by us as a gzipped file, floppy-—2.0.tgz for your convenience. This can be 
downloaded from this web address: ftp://ftp.openna.com/ConfigFiles-v2.0/floppy-2.0.tgz. You can 
unpack this to any location on your local machine, say for example /var/tmp, assuming you 
have done this your directory structure will be /var/tmp/floppy-2.0. Within this floppy 
directory each configuration file has its own directory for respective software. You can either cut 
and paste this directly if you are faithfully following our instructions from the beginning or 
manually edit these to modify to your needs. This facility is there though as a convenience but 
please don't forget ultimately it will be your responsibility to check, verify, etc. before you use 
them whether modified or as it is. 





Securing Xinetd 

Xinetd is a small and efficiently security tool that run on your system with just some little files 
installed. The only component of Xinetd that can be secured is its configuration file, below we 
show you some steps to secure /etc/xinetd.conf for optimal security. 


Step 1 
Make your /etc/xinetd.conf file “Read” only by the super-user “root” by changing its default 
permission. This is important because no one needs to touch this file. 


e To make your xinetd.conf file “read” only by “root”, use the command: 
[root@deep /]# chmod 400 /etc/xinetd.conf 


Step 2 
One more security measure you can take to secure xinetd.conf is to set it immutable, using 
the chattr command. 


e To set the file immutable simply, execute the following command: 
[root@deep /]# chattr +i /etc/xinetd.conf 
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This will prevent any changes (accidental or otherwise) to the xinetd.conf file. A file with the 
immutable attribute set “i” cannot be modified, deleted or renamed, no link can be created to this 
file and no data can be written to it. The only person that can set or clear this attribute is the 


super-user root. 
If you wish later to modify the xinetd.conf file you will need to unset the immutable flag: 
e To unset the immutable flag, simply execute the following command: 


[root@deep /]# chattr -i /etc/xinetd.conf 


Further documentation 
For more details, there are some man pages you can read: 


$ man xinetd.conf (5) - configuration settings for xinetd 
$ man xinetd.log (8) - xinetd service log format 
$ man xinetd (8) - the extended Internet services daemon 


List of installed Xinetd files on your system 


> /usr/sbin/xinetd 

> /ust/sbin/xconv.pl 

> /etc/xinetd.conf 

> /etc/rc.d/init.d/xinetd 

> /ust/share/man/man5/xinetd.conf.5 
> /ust/share/man/man8/xinetd.log.8 
> /usr/share/man/man8/xinetd.8 
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Part VI Management & Limitation Related Reference 
In this Part 


Management & Limitation - Quota 


Here we will talk about a tool, which can be used to control users directories sizes. This part of 
the book is optional and will be interesting only for companies who provide Mail, Web, or FTP 
services to their customers and want to control amount of MB allowed for each users on the 
system for the specific service. 


Quota falls into a security tool since it allows you to limit disk space that users may consume on 
the system, without a program like quota, users may fill as much disk space as they want and as 
you can imagine this will bring a big problems for you. 
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18 Management & Limitation - Quota 
In this Chapter 


Building a kernel with Quota support enable 
Modifying the /etc/fstab file 

Creating the quota.user and quota. group files 
Assigning Quota for Users and Groups 

Quota Administrative Tools 


364 


Quota] 1 
CHAPTER |8& 


Set Quota on your Linux system 


Abstract 

Quota is a system administration tool for monitoring and limiting users' and/or groups' disk 
usage, per file system. Two features of disk storage with the Quota tool are available to set 
limits: the first is the number of inodes (number of files) a user or a group of users may possess 
and the second is the number of disk blocks (amount of space in kilobytes) that may be allocated 
to a user or a group of users. With Quota, users are forced by the system administrator to not 
consume an unlimited amount disk space on a system. This program is handled on per user and 
per file system basis and must be set separately for each file system. 


It is useful for Mail, Web, and FTP Servers where limitations must be applied on the users, but 
can be used for any other purposes. It is your to decide where and how to use it. 


Build a kernel with Quota support enable 

The first thing you need to do is ensure that your kernel has been built with Quota support 
enabled. In the 2.4 kernel version you need ensure that you have answered y to the following 
questions: 


*Filesystems 


Quota support (CONFIG_QUOTA) [N/y/?]l y 


Prerequisites 
The Quota tool must be already installed on your system. If this is not the case, you must install it 
from your Linux CD-ROM or source archive files. 


> To verify if Quota package is installed on your system, use the command: 
[root@deep /]# rpm -q quota 
package quota is not installed 


e To mount your CD-ROM drive before installing the require package, use the command: 
[root@deep /]# mount /dev/cdrom /mnt/cdrom/ 
mount: block device /dev/cdrom is write-protected, mounting read-only 


e To install the quota package on your Linux system, use the following command: 
[root@deep /]# cd /mnt/cdrom/RedHat /RPMS/ 
[root@deep RPMS]# rpm -Uvh quota-version.i386.rpm 
quota RPE E EEE EE EEE HE HE EEE EE EH HE EE RE EE HE HE HEE RE EE HEH 


e To unmount your CD-ROM drive, use the following command: 
[root@deep RPMS]# ed /; umount /mnt/cdrom/ 


Modifying the /etc/fstab file 

The /etc/fstab file contains information about various file systems installed on your Linux 
server. Quota must be enabled in the fstab file before you can use it. Since Quota must be set 
for each file system separately, and because in the fstab file, each file system is described ona 
separate line, Quota must be set on each of the separate lines in the fstab for which you want 
to enable Quota support. 
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Step 1 

With the program Quota, depending on your needs, etc, you can enable Quota for users, groups 
or both (users and groups). For all examples below, we'll use the /home/ directory and shows 
you the three possibilities. 


Possibility 1: 


e Toenable user Quota support on a specific file system, edit your fstab file (vi 
/etc/fstab) and add the "usrquota" option to the fourth field after the word 
"defaults" or any other options you may have set for this specific file system. 


As an example change: 












































AABBEL=/home /hom xt2 defaults 1 2 (as an example: the word “defaults”) 

ABEL=/home /hom xt2 nosuid, nodev 1 2 (as an example: any other options you have set) 
To read: 

AABEL=/home /hom xt2 defaults, usrquota 1s 2 

ABEL=/home /hom xt2 nosuid, nodev, usrquota 12 
Possibility 2: 


e Toenable group Quota support on a file system, edit your fstab file (vi 
/etc/fstab) and add "grpquota" to the fourth field after the word "defaults" or any 
other options you may have set for this specific file system. 


As an example change: 












































ABEL=/home /hom xt2 defaults 1 2 (as an example: the word “defaults”) 

ABEL=/home /hom xt2 nosuid, nodev 1 2 (as an example: any other options you have set) 
To read: 

AABEL=/home /hom xt2 defaults, grpquota 12 

AABEL=/home /hom xt2 nosuid, nodev, grpquota 2 
Possibility 3: 


e Toenable both users Quota and group Quota support on a file system, edit your 
fstab file(vi /etc/fstab) and add "usrquota, grpquota" to the fourth field after 
the word "defaults" or any other options you may have set for this specific file system. 












































Change: 

AABEL=/home /hom xt2 defaults 1 2 (as an example: the word “defaults”) 

ABEL=/home /hom xt2 nosuid, nodev 1 2 (as an example: any other options you have set) 
To read: 

AABEL=/home /hom xt2 defaults,usrquota,grpquota 1 2 

AABEL=/home /hom xt2 nosuid, nodev,usrquota,grpquota 1 2 
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Step 2 
Once you have made the necessary adjustments to the /etc/fstab file, it is time to inform the 
system about the modification. 


e This can be accomplished with the following commands: 
[root@deep /]# mount -oremount /home/ 


Each file system that has been modified must be remounted with the command shown above. In 
our example we have modified the /home/ file. 


Creating the quota.user and quota. group files 

After the modification of your /etc/fstab file, in order for Quotas to be established on a file 
system, the root directory of the file system on which you want to enable Quota feature (i.e. 
/home/ in our example) must contain a file, owned by root, called “quota.user’” if you want to 
use and setuser Quota, and/or “quota.group’” if you want to use and set group Quota, or 
both if you want users and group Quota. 


Step 1 

We must create, in the directory in which we want to have Quota feature enabled, the required 
files. In our example, we will create under the /home/ directory the file for user and group 
restrictions as shown below. 


e Tocreate the quota.user and/or quota.group files, as “root” go to the root of the 
partition you wish to enable Quota (i.e. /home/) and create quota.user and/or 
quota.group by doing: 


[root@deep /]# touch /home/quota.user 
[root@deep /]# touch /home/quota.group 
[root@deep /]# chmod 600 /home/quota.user 
[root@deep /]# chmod 600 /home/quota.group 


The touch command will create new empty files under the /home/ directory named 
quota.user and quota.group. The chmod command will set the mode of these files to be 
read-write only by the super-user “root”. 








WARNING: Both Quota record files, quota.user and quota. group, should be owned by root, 
with read-write permission for “root” only (0600 /-rw------- ). 





Assigning Quota for Users and Groups 
After the required files have been created, you can assign Quotas to users or groups of users on 
your system. This operation is performed with the edquota tool. 


The edquota tool 


The edquota program is a Quota editor that creates a temporary file of the current disk Quotas 
used by the super-user “root” to set Quotas for users or group of users in the system. The 
example below shows you how to setup Quotas for users or groups on your system. 
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Assigning quota for a particular user 

Consider, for example, that you have a user with the login id “gmourani” on your system. The 
following command takes you into the editor (vi) to edit and set Quotas for user “gmourani” on 
each partition that has Quotas enabled: 


Step 1 


e Toedit and modify Quota for user “gmourani”, use the following command: 
[root@deep /]# edquota -u gmourani 
Quotas for user gmourani: 
/dev/sda8: blocks in use: 0, limits (soft = 0, hard = 0) 
inodes in use: 0, limits (soft = 0, hard = 0) 


After the execution of the above command, you will see the following lines related to the example 
user “gmourani” appear on the screen. The "blocks in use:" display the total number of 
blocks (in kilobytes) the user has presently consumed on a partition. The "inodes in use:" 
value displays the total number of files the user has presently on a partition. These parameters 
(“blocks in use, and inodes in use’) are controlled and set automatically by the system 
and you don’t need to touch them. 


Step 2 


e To assign 5MB of quota for user “gmourani”, change the following parameters: 
Quotas for user gmourani: 
/dev/sda6: blocks in use: 0, limits (soft = 0, hard = 0) 
inodes in use: O, limits (soft = 0, hard = 0) 


To read: 


Quotas for user gmourani: 
/dev/sda6: blocks in use: 0, limits (soft = 5000, hard = 6000) 
inodes in use: O, limits (soft = 0, hard = 0) 


The soft limit (soft = 5000) specifies the maximum amount of disk usage a Quota user is 
allowed to have (in our example this amount is fixed to 5MB). The hard limit (hard = 6000) 
specifies the absolute limit on the disk usage a Quota user can't go beyond it. Take a note that 
the “hard limit” value works only when the “grace period” parameter is set. 


The grace period parameter 

The “grace period” parameter allows you to set a time limit before the soft limit value is 
enforced on a file system with Quota enabled (see the soft limit above for more 
information). For example, this parameter can be used to warn your users about a new policy that 
will set a Quota of 5MB of disk space in their home directory in 7 days. You can set the 0 days 
default part of this parameter to any length of time that you feel reasonable. The change of this 
setting requires two steps as follows (in my example | assume 7 days). 


Step 1 


e =6Edit the default grace period parameter, by using the following command: 
[root@deep /]# edquota -t 
Time units may be: days, hours, minutes, or seconds 
Grace period befor nforcing soft limits for users: 
/dev/sda8: block grace period: 0 days, file grace period: 0 days 
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Step 2 


e To modify the grace period to 7 days. Change or set the following default parameters: 


Time units may be: days, hours, minutes, or seconds 
Grace period befor nforcing soft limits for users: 
/dev/sda8: block grace period: 0 days, file grace period: 0 days 





To read: 


Time units may be: days, hours, minutes, or seconds 
Grace period befor nforcing soft limits for users: 
/dev/sda8: block grace period: 7 days, file grace period: 7 days 











NOTE: The command “edquota -t” edits the soft time limits for each file system with 
Quotas enabled. 





Assigning quota for a particular group 

Consider, for example, you have a group with the group id “users” on your system. The following 
command takes you into the vi editor to edit Quotas for the group “users” on each partition that 
has Quotas enabled: 


e To edit and modify Quota for group “users”, use the following command: 
[root@deep /]# edquota -g users 
Quotas for group users: 
/dev/sda8: blocks in use: 0, limits (soft = 0, hard = 0) 
inodes in use: O, limits (soft = 0, hard = 0) 


The procedure is the same as for assigning Quotas for a particular user; as described 
previously, you must modify the parameter of “soft =andhard =” then save your change. 


Assigning quota for groups of users with the same value 

The edquota tool has a special option (-p) that assign Quotas for groups of users with the 
same value assigned to an initial user. Assuming that you want to assign users starting at UID 
500 on the system the same value as the user “gmourani”, we would first edit and set 
gmourani's Quota information, then execute: 


e To assign Quota for group of users with the same value, use the following command: 
[root@deep /]# edquota -p gmourani ‘awk -F: '$3 > 499 {print $1}' 
/etc/passwd 


The edgquota program will duplicate the Quota that we have set for the user “gmourani” to all 
users in the /etc/passwad file that begin after UID 499. 








NOTE : You can use the quota utility to set a maximun size to a mail box for your mail users. For 
example: set quota to users at 10M in your /var partition and put the min and max inodes 
parameter of quota to 1. Then a user will be able to keep in his /var/spool/SLOGNAME only 
10M. 
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Further documentation 
For more details, there are several man pages you can read: 


$ man edquota (8) - edit user quotas 

$ man quota (1) - display disk usage and limits 

$ man quotacheck (8) - scan a file system for disk usages 

$ man quotactl (2) - manipulate disk quotas 

$ man quotaon, quotaoff (8) - turn file system quotas on and off 

$ man repquota (8) - summarize quotas for a file system 

$ man rquota (3) - implement quotas on remote machines 


Quota Administrative Tools 


The commands listed below are some that we use often, but many more exist. Check the manual 
page for more information. 


Quota 
Quota displays users' disk usage and limits on a file system. 


e To display user disk usage and limits, use the following command: 
[root@deep /]# quota -u gmourani 
Disk quotas for user gmourani (uid 500): 
Filesystem blocks quota limit grace files quota limit grace 
/dev/sda8 4692 5000 6000 9 0 0 


e To display group Quotas for the group of which the user is a member, use the following 
command: 
[root@deep /]# quota -g gmourani 
Disk quotas for group gmourani (gid 500): 
Filesystem blocks quota limit grace files quota limit grace 
/dev/sda8 4660 5000 6000 1 0 0 








NOTE: If the group quota is not set for the user specified, you will receive the following 
message: Disk quotas for group gmourani (gid 501): none 





Repquota 
The Repquota utility produces summarized quota information of the disk usage and quotas for 


the specified file systems. Also, it prints the current number of files and amount of space used (in 
kilobytes) for each user. 


e Here is a sample output repquota gives (you results may vary): 
[root@deep /]# repquota —-a 


Block limits File limits 
User used soft hard grace used soft hard grace 
gmourani —-—— 4660 5000 6000 1 0 0 

Block limits File limits 
User used soft hard grace used soft hard grace 
root —- 4980 0 0 6 0 0 
gmourani -- 4692 5000 6000 9 0 0 
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Part Vil Domain Name System Related Reference 
In this Part 


Domain Name System - ISC BIND/DNS 


Every time you send an electronic mail, surf the net, connect to another server, or talk with 
someone for example, you rely on the Domain Name System. It is rare that you don’t have to 
pass through DNS in a networking environment. The Domain Name System is essential even if 
you don’t run a Domain Name Server since it is the program (the directory to the Internet) that 
handles mapping between host names. Without it you cannot retrieve information remotely from 
everywhere on the network. 


ISC BIND & DNS is very important and must be installed in every kind of server since many of 


services described in this book rely on it to work properly. Without DNS servers no one on the 
Internet will be able to find your servers. 
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19 Domain Name System - ISC BIND/DNS 
In this Chapter 


Recommended RPM packages to be installed for a DNS Server 
Compiling - Optimizing & Installing ISC BIND & DNS 
Configuring ISC BIND & DNS 

Caching-Only Name Server 

Primary Master Name Server 

Secondary Slave Name Server 

Running ISC BIND & DNS in a chroot jail 

Securing ISC BIND & DNS 

Optimizing ISC BIND & DNS 

ISC BIND & DNS Administrative Tools 

ISC BIND & DNS Users Tools 
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Linux ISC BIND & DNS Server 


Abstract 

Once we have installed all the necessary security software in our Linux server, it’s time to 
improve and tune the networking part of our server. Domain Name System (DNS) is one of the 
MOST important network services for TP network communication, and for this reason, all Linux 
client machines should be configured to perform caching functions as a minimum. Setting up a 
caching server for client local machines will reduce the load on the site’s primary server. A 
caching only name server will find the answer to name queries and remember the answer the 
next time we need it. This will shorten the waiting time the next time significantly. 


A Name Server (NS) is a program that stores information about named resources and responds 
to queries from programs called resolvers, which act as client processes. The basic function of 
an NS is to provide information about network objects by answering queries. Linux is a perfect 
platform to run and deploy the BIND DNS server, a number of Linux DNS servers in the Internet 
are listed as authoritative DNS servers for Microsoft's domains. Yes, Microsoft has partially 
outsourced the management of its Domain Name System (DNS) servers to Linux for the job. Oops 


BIND (Berkeley Internet Name Domain) is a widely used, free implementation of the Domain 
Name System for Unix and Windows NT. It provides a server, a client library, and several utility 
programs. It is estimated to be the DNs software in use in over 90% of the hosts on the Internet 
and this is the one that we will describe further down in this chapter. 


To separate your internal Domain Name Services from external DNS, it is better to use Split DNS 
also known and referred to as "shadow namespaces". A Split DNS or "shadow namespace" is a 
name server that can answer queries from one source one way, and queries from another source 
another way. A Split DNS allow the Names, addresses and the topology of the secure network to 
be not available to the insecure external network. With Split DNs the external DNs only reveals 
public addresses and the internal DNS reveals internal IP addresses to the secure network. This 
is the recommended DNS configuration to use between hosts on the corporate network and 
external hosts. 


To do split DNS, you must have two independent name servers for the same zone. One server 
and one copy of the zone are presented to the outside world. The other name server has a 
probably different bunch of contents for that zone which it makes available to the inside. 


In our configuration and installation we'll run ISC BIND & DNS as non root-user and in a chrooted 
environment. We also provide you with three different configurations; one for a simple Caching 
Name Server Only (client), one for a Slave Name Server (Secondary DNS Server) and another 
one for a Master Name Server (Primary DNS Server). 


The simple Caching Name Server configuration will be used for your servers that don’t act as a 
Master or Slave Name Server, and the Slave and Master configurations will be used for your 
servers that act as a Master Name Server and Slave Name Server. Usually one of your servers 
acts as Primary/Master, another one acts as Secondary/Slave and the rest act as simple Caching 
client Name Server. 
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Recommended RPM packages to be installed for a DNS Server 

A minimal configuration provides the basic set of packages required by the Linux operating 
system. A minimal configuration is a perfect starting point for building a secure operating system. 
Below is the list of all recommended RPM packages required to run properly your Linux server as 
a Primary/Master or Secondary/Slave Domain Name Server (DNS). 


This configuration assumes that your kernel is a monolithic kernel. Also | suppose that you will 
install ISC BIND & DNS by RPM package. Therefore, bind and bind-utils RPM packages are 
already included in the list below as you can see. Not all security tools are installed, it is up to you 
to install them as you see fit, by RPM packages since compilers are not installed or included in 
the list. 


basesystem 
diffutils 
initscripts 
openssh 
slang 


bash 

e2fsprogs 
iptables 
openssh-server 
slocate 


bdflush 
ed 
kernel 
openssl 
sysklogd 


bind 
file 
less 

pam 
syslinux 


bind-utils 
filesystem 
libstdc++ 
passwd 
SysVinit 


bzip2 
fileutils 
libtermcap 
popt 

tar 
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chkconfig 
findutils 
lilo 
procps 
termcap 


console-tools 
gawk 
logrotate 
psmisc 
textutils 


cpio 
gdbm 
losetup 
pwdb 
tmpwatch 


cracklib 
gettext 
MAKEDEV 
qmail 
utempter 


cracklib-dicts 
glib 

man 

readline 
util-linux 


crontabs 
glibe 
mingetty 
rootfiles 
vim-common 


db1 
glibc-common 
mktemp 

rpm 
vim-minimal 


db2 

grep 

mount 

sed 
vixie-cron 


db3 
grofft 
ncurses 
setup 
words 


dev 

gzip 
net-tools 
sh-utils 
which 


devfsd 

info 

newt 
shadow-utils 
zlib 


Tested and fully functional on OpenNA.com. 
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Domain Name System 


DNS ROOT SERVERS AROUND THE WORLD 


HEE Firewall 





+ MASTER DNS is also know as Primary DNS 
+ SLAVE DNS is also know as Secondary DNS 
+ All other servers on the network will run 

a CACHING DNS 







Router 
207.35.78.1 
The Gateway Server 
Runs a CACHING DNS External HUB 







———") 
———> FI 
—_—_—: 









zi = - a 
CACHING DNS MASTER DNS SLAVE DNS 
Gateway Server Primary DNS Secondary DNS 
207.35.78.2 & 207.35.78.5 207.35.78.6 
192.168.1.1 


192.168.1.0/24 
‘Ip 







Usually, all Internal 
computers runs at 
least a CACHING DNS 


Internal HUB 


This is a graphical representation of the DNS configuration we use in this book. We try to show 
you different settings (Caching Only DNs, Primary/Master DNS, and Secondary/Slave DNS) on 
different servers. Please note that lot possibilities exist, and depend of your needs, and network 
architecture design. 
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These installation instructions assume 

Commands are Unix-compatible. 

The source path is /var/tmp (note that other paths are possible, as personal discretion). 
Installations were tested on Red Hat 7.1. 

All steps in the installation will happen using the super-user account “root”. 

Whether kernel recompilation may be required: No 

Latest ICS BIND & DNS version number is 9.1.2 


Packages 
The following are based on information as listed by ISC BIND & DNS as of 2001/05/05. Please 
regularly check at www.isc.org for the latest status. 


Source code is available from: 

ISC BIND & DNS Homepage: http://www.isc.org/ 

ISC BIND & DNS FTP Site: 204.152.184.27 

You must be sure to download: bind-9.1.2.tar.gz 


Prerequisites 

ICS BIND & DNS requires that the software below is already installed on your system to be able 
to compile successfully. If this is not the case, you must install it. Please make sure you have all 
of these programs installed on your machine before you proceed with this chapter. 


¥  Toimprove signing and verification speed of BIND9, OpenSSL library that uses hand- 
optimized assembly language routines should be already installed on your system. 


¥Y Kernel 2.4 is required to set up BIND9 in your system. 








NOTE: For more information on OpenSSL software, see its related chapter in this book. 





Pristine source 

If you don’t use the RPM package to install this program, it will be difficult for you to locate all 
installed files into the system in the eventuality of an updated in the future. To solve the problem, 
it is a good idea to make a list of files on the system before you install ISC BIND & DNS, and one 
afterwards, and then compare them using the diff utility of Linux to find out what files are 
placed where. 


e Simply run the following command before installing the software: 
root@deep /root find /* > DNS1 


e And the following one after you install the software: 
root@deep /root find /* > DNS2 











e Then use the following command to get a list of what changed: 
root@deep /root diff DNS1 DNS2 > ISC-BIND-DNS-Installed 








With this procedure, if any upgrade appears, all you have to do is to read the generated list of 
what files were added or changed by the program and remove them manually from your system 
before installing the new software. Related to our example above, we use the /root directory of 
the system to stock all generated list files. 
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Compiling - Optimizing & Installing ISC BIND & DNS 

Below are the required steps that you must make to configure, compile and optimize the ISc 
BIND & DNS software before installing it into your Linux system. First off, we install the program 
as user 'root' so as to avoid authorization problems. 


Step 1 
Once you get the program from the main software site you must copy it to the /var/tmp 
directory and change to this location before expanding the archive. 


e These procedures can be accomplished with the following commands: 
[root@deep /]# cp bind-version.tar.gz /var/tmp/ 
[root@deep /]# ed /var/tmp/ 
[root@deep tmp]# tar xzpf bind-version.tar.gz 


Step 2 

In order to check that the version of ISC BIND & DNS, which you are going to install, is an original 
and unmodified one, please check the supplied signature with the PGP key of ISC BIND & DNS. 
Unfortunately, ISC BIND & DNS don’t provide a MD5 signature for verification. But a PGP key is 
available on the ISC BIND & DNS website. 


To get a PGP key copy of ISC BIND & DNS, please point your browser to the following URL: 
http://www.isc.org/. For more information about how to use this key for verification, see the GnuPG 
chapter in this book. 


Step 3 
ISC BIND & DNS cannot run as super-user root; for this reason we must create a special user 
with no shell privileges on the system for running ISC BIND & DNS daemon. 


e Tocreate this special ISC BIND & DNS user, use the following command: 
[root@deep tmp]# useradd -c “Named” -u 25 -s /bin/false -r -d /var/named 
named 2>/dev/null || 


The above command will create a null account, with no password, no valid shell, no files owned- 
nothing but a UID and a GID for the program. 


Step 4 

After that, move into the newly created ISC BIND & DNS directory and perform the following steps 
before compiling and optimizing it. The modifications we bring to the ISC BIND & DNS source files 
below are necessary to relocate some default files as well as to fix a small bug with the software. 


e To move into the newly created ISC BIND & DNS directory, use the following command: 
[root@deep tmp]# ed bind-9.1.2/ 
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Step 4.1 

The first file that we must modify is called dighost .c located under the source directory of ISCc 
BIND & DNS. In this file, we will add a missing code line related to the reverse function of the 
program. 


e Edit the dighost.c file (vi +224 bin/dig/dighost.c) and change the lines: 














if (n == 0) { 
return (DNS_R_BADDOTTEDQUAD) ; 
} 
for (i =n - 1; i >= 0; i--) { 
snprintf (working, MXNAME/8, "%3d.", 
adrs[i]); 
To read: 
TE (no =S"0) af 
return (DNS_R_BADDOTTEDQUAD) ; 
} 
reverse[0] = 0; 
for (i =n - 1; i >= 0; i--) { 
snprintf (working, MXNAME/8, "%Sd.", 
adrs[i]); 
Step 4.2 


The second source file to modify is called globals .h and one of its functions is to specify the 
location of the named.pid and lwresd.pid files. We'll change the default location for these 
files to be compliant with our Linux operating system. 


e Edit the globals.hfile (vi +101 bin/named/include/named/globals.h) and 
change the lines: 


"/run/named.pid") ; 

To read: 
"/run/named/named.pid") ; 
and 

"/run/lwresd.pid") ; 

To read: 


"/run/named/lwresd. pid") ; 
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Step 5 
Once the required modifications have been made into the source files of ISC BIND & DNS, itis 
time configure and optimize it for our system. 


e To configure and optimize ISC BIND & DNS use the following commands: 
CFLAGS="-03 -funroll-loops -fomit-frame-pointer" \ 
./configure \ 

--prefix=/usr \ 

--sysconfdir=/etc \ 
--localstatedir=/var \ 
--mandir=/usr/share/man \ 
--with-openssl=/usr/include/openss1 \ 
--with-libtool \ 

--disable-ipv6é \ 

--enable-threads 


This tells ISC BIND & DNS to Set itself up for this particular system with: 


- Build shared libraries. 

- Use original OpenSSL rather than using bind-9 internal OpenSSL. 
- Disable Tpv6 support. 

- Use nultithreading 








WARNING: Pay special attention to the above CFLAGS line. As you can see | voluntary omitted to 
include the option “-march=i686 and —mcpu=i686”. | don’t Know why but with these options 
BIND compile successfully but never start on the system. Therefore | highly recommend to not 
include any “-march or -mcpu” options to compile BIND or nothing will work. Also if you have 
added this option into your /usr/lib/gcec-lib/i386-redhat-—linux/2.96/specs or any 
equivalent file, remove it temporally the time to compile this program and add it after successful 
compilation of BIND. 





Step 6 

At this stage of our work the program is ready to be built and installed. We build ISC BIND & DNS 
with the ‘make’ command and produce a list of files on the system before we install the software, 
and one afterwards, then compare them using the diff utility to find out what files are placed 
where and finally install Isc BIND & DNS. 


root@deep bind-9.1.2]# make 

root@deep bind-9.1.2]# ed 

root@deep /root]# find /* > DNS1 

root@deep /root]# ed /var/tmp/bind-9.1.2/ 

root@deep bind-9.1.2]# make install 

root@deep bind-9.1.2]# ed doc/man/bin/ 

root@deep bin install -c -m 444 named.8 /usr/share/man/man8/ 

root@deep bin install -c -m 444 rndc.8 /usr/share/man/man8/ 

root@deep bin install -c -m 444 lwresd.8 /usr/share/man/man8/ 
root@deep bin install -c -m 444 nsupdate.8 /usr/share/man/man8/ 
root@deep bin install -c -m 444 named-checkconf.1 /usr/share/man/man1/ 
root@deep bin install -c -m 444 named-checkzone.1 /usr/share/man/man1/ 
root@deep bin install -c -m 444 host.1 /usr/share/man/man1/ 

root@deep bin install -c -m 444 dig.1 /usr/share/man/man1/ 

root@deep bin install -c -m 444 rndc.conf.5 /usr/share/man/man5/ 
root@deep bin cd ../../../ 

root@deep bind-9.1.2]# strip /usr/sbin/named 

root@deep bind-9.1.2]# mkdir -p /var/named 
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root@deep bind-9.1.2]# mkdir -p /var/run/named 
root@deep bind-9.1.2]# install -c -m 640 bin/rndc/rndc.conf /etc/ 
root@deep bind-9.1.2]# chown named.named /etc/rndc.conf 
root@deep bind-9.1.2]# chown named.named /var/named/ 
root@deep bind-9.1.2]# chown named.named /var/run/named/ 
root@deep bind-9.1.2]# /sbin/ldconfig 
root@deep bind-9.1.2]# cd 
root@deep /root]# find /* > DNS2 
root@deep /root]# diff DNS1 DNS2 > ISC-BIND-DNS-Installed 





The above commands will configure the software to ensure your system has the necessary 
libraries to successfully compile the package, compile all source files into executable binaries, 
and then install the binaries and any supporting files into the appropriate locations. 


Step 7 

Once compilation, optimization and installation of the software have been finished, we can free up 
some disk space by deleting the program tar archive and the related source directory since they 
are no longer needed. 


e Todelete ISC BIND & DNS and its related source directory, use the following commands: 
[root@deep /]# cd /var/tmp/ 
[root@deep tmp]# rm -rf bind-version/ 
[root@deep tmp]# rm -f bind-version.tar.gz 


The rm command as used above will remove all the source files we have used to compile and 
install ISC BIND & DNS. It will also remove the ISC BIND & DNS compressed archive from the 
/var/tmp directory. 


Configuring ISC BIND & DNS 

After TSC BIND & DNS has been built and installed successfully in your system, your next step is 
to configure and customize all the required parameters in your different ISC BIND & DNS 
configuration files. Depending of the kind of Domain Name System you want to run in your Linux 
server, there are different configuration files to set up, these files are: 


For running ISC BIND & DNS as a Caching-Only Name Server: 


¥ /etc/named.conf (The ISC BIND & DNS Configuration File) 

¥ /var/named/db.127.0.0 (The ISC BIND & DNS reverse mapping File) 

¥ /var/named/db.cache (The ISC BIND & DNS Root server hints File) 

¥ /etc/sysconfig/named (The ISC BIND & DNS System Configuration File) 
¥ /etc/re.d/init.d/named (The ISC BIND & DNS Initialization File) 


For running ISC BIND & DNS as a Master/Primary Name Server: 


¥ /etc/named.conf (The ISC BIND & DNS Configuration File) 

¥ /var/named/db.127.0.0 (The ISC BIND & DNS reverse mapping File) 

¥ /var/named/db.cache (The ISC BIND & DNS Root server hints File) 

¥ /var/named/db.207.35.78 (The ISC BIND & DNS host names to addr mapping File) 
¥ /var/named/db.openna (The ISC BIND & DNS addr to host names mapping File) 

¥ /etc/sysconfig/named (The ISC BIND & DNS System Configuration File) 

¥ /etc/re.d/init.d/named (The ISC BIND & DNS Initialization File) 
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For running ISC BIND & DNS as a Slave/Secondary Name Server: 


¥ /etc/named.conf (The ISC BIND & DNS Configuration File) 

¥ /var/named/db.127.0.0 (The ISC BIND & DNS reverse mapping File) 

¥ /var/named/db.cache (The ISC BIND & DNS Root server hints File) 

¥ /etc/sysconfig/named (The ISC BIND & DNS System Configuration File) 
¥ /etc/re.d/init.d/named (The ISC BIND & DNS Initialization File) 








WARNING: It is important to note that some of the configuration files mentioned above are the 
same for all types of Domain Name System and for this reason, files that are common for all 
configuration are described after all specific Domain Name System configurations. Please read all 
information contained in this chapter to be sure to not forget something. 





Caching-Only Name Server 

This section applies only if you chose to install and use ISC BIND & DNS as a Caching Name 
Server in your system. Caching-only name servers are servers not authoritative for any domains 
except 0.0.127.in-addr.arpa (the localhost). A Caching-Only Name Server can look up 
names inside and outside your zone, as can Primary and Slave Name Servers. The difference is 
that when a Caching-Only Name Server initially looks up a name within your zone, it ends up 
asking one of the Primary or Slave Names Servers for your zone for the answer. 


/etc/named.conf: The ISC BIND & DNS Configuration File 

Use this configuration file for all servers on your network that don’t act as a Master or Slave 
Name Server. Setting up a simple Caching Server for local client machines will reduce the load 
on the network’s primary server. 


Step 1 

Many users on dialup connections may use this configuration along with ISC BIND & DNS for 
such a purpose. With this configuration for a Caching-Only Name Server, all queries from outside 
clients are refused. The text in bold are the parts of the configuration file that must be customized 
and adjusted to satisfy our needs. 


e Create the named.conf file (touch /etc/named.conf) and add the following lines in 
the file. Below is what we recommend you: 


options { 
directory "/var/named"; 
allow-transfer { none; }; 
allow-query { 192.168.1.0/24; localhost; }; 
allow-recursion { 192.168.1.0/24; localhost; }; 
forwarders { 207.35.78.5; 207.35.78.6; }; 
version "Go away!"; 

}; 

logging { 

category lame-servers { null; }; 


}; 


// Root server hints 
zone "." { type hint; file "db.cache"; }; 


// Provide a reverse mapping for the loopback address 127.0.0.1 
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zone "0.0.127.in-addr.arpa" { 
type master; 
file "db.127.0.0"; 
notify no; 


}; 


This tells named. conf file to set itself up for this particular configuration with: 


Options {}; 
The options statement sets up global options to be used by ISC BIND & DNS and may appear 
only once in a configuration file. 


directory “/var/named”; 

The directory statement indicates the working directory of the server and should be an 
absolute path. The working directory is where all configuration files related to ISC BIND & DNS 
resides. 


allow-transfer { none; }; 

The allow-transfer statement specifies which hosts are allowed to receive zone transfers 
from the Primary/Master Name Server. The default setting of ISC BIND & DNS is to allow 
transfers from all hosts. Since zone transfer requests are only required for Secondary/Slave 
Name Server and since the configuration we are trying to do here is for a Caching-Only Name 
Server, we can completely disable this directive with the parameter “allow-transfer { 
none; };”. This is a security feature. 


allow-query { 192.168.1.0/24; localhost; }; 

The allow-query statement specifies which hosts are allowed to ask ordinary questions to the 
Caching Name Server. The default setting in the options block is to allow queries from all hosts. 
In our configuration, we wish to allow queries from one corporate subnet only. This is a security 
feature. 


allow-recursion { 192.168.1.0/24; localhost; }; 

The allow-recursion statement specifies which hosts are allowed to make recursive queries 
through this server. With the configuration as shown above, we allow recursive queries only from 
internal hosts since allowing every external hosts on the Internet to ask your name server to 
answer recursive queries can open you up to certain kinds of cache poisoning attacks. This is a 
security feature. 


forwarders { 207.35.78.5; 207.35.78.6; }; 

The forwarders statement specifies the IP addresses to be used for forwarding. Servers that 
do not have direct access to the Internet can use this option to create a large site-wide cache, 
reducing traffic over links to external name servers and to allow queries. It occurs only on those 
queries for which the server is not authoritative and does not have the answer in its cache. In the 
“forwarders” line, 207.35.78.5 and 207.35.78.6 are the IP addresses of the Primary 
(Master) and Secondary (Slave) DNS servers. They can also be the IP addresses of your ISP’s 
DNS server and another DNS server, respectively. 


Why would one assume that what's in one's ISP's name server’s cache is any more "secure" than 
what one gets from the authoritative servers directly? That makes no sense at all. ISP's are often 
lazy about upgrades, which means that there's a substantial risk that their name servers may be 
compromised or cache-poisoned. Another downside of forwarding, of course, is that it introduces 
an extra hop for *every* query which can't be satisfied from the local server's cache or 
authoritative data. 
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Now, sometimes that hop is worth it (because the answer is in your forwarder's cache, so you 
don't need to expend other "hops" over the Internet trying to resolve it yourself), but at other times 
(when the answer “doesn't* happen to be in the forwarders cache), it just adds latency. So 
forwarding can *sometimes™ be justified in terms of query performance. But in this case, it should 
be configured as "forward first" to provide redundancy in case the forwarders are unavailable. 
This is the default value "forward first" into BIND9, and causes the server to query the IP 
addresses as specified in the forwarders statement (the forwarders first), and if that doesn't 
answer the question, the server will then look for the answer itself. This is a performance feature. 


version "Go away!"; 

The version statement allows us to hide the real version number of our ISC BIND & DNS 
server. This can be useful when some one from the Internet try to scan our Domain Name Server 
for possible vulnerable version of the software. You can change the string “Go away!” to 
whatever you want. Note doing this will not prevent attacks and may impede people trying to 
diagnose problems with your server. This is a security feature. 


notify no; 

DNS Notify is a mechanism that allows Master Name Servers to notify their Slave servers of 
changes to a zone's data. In response to a NOTIFY from a Master server, the Slave will check to 
see that its version of the zone is the current version and, if not, initiate a transfer. The notify 
statement by default is set to “yes” but since the loopback address 127.0.0.1is the same 
to each system, we must avoid to transfer this localhost configuration file to Secondary/Slave 
Name Server. 








NOTE: You can configure logging so that lame server messages aren't logged, which will reduce 
the overhead on your DNS and syslog servers. Lame server messages are report hosts that are 
believed to be name servers for the given domains, but which do not believe themselves to be 
such. This is often due to a configuration error on the part of that hostmaster. 


You can disable "Lame server" messages by using the logging statement into your named. conf 
file: 
logging { 

category lame-servers { null; }; 


}; 


By the way, some of us also like to disable message like "... points to a CNAME" by adding in the 
logging statement the following line: 


category cname { null; }; 





Step 2 
Finally, we must set the mode permissions of this file to be (0600 /-rw------- ) and owned by 
the user ‘named’ for security reason. 


e To change the mode permissions and ownership of the named. conf file, use the 


following commands: 
[root@deep /]# chmod 600 /etc/named.conf 
[root@deep /]# chown named.named /etc/named.conf 
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/var/named/db.127.0.0: The reverse mapping File 

Use this configuration file for all servers on your network that don’t act as a Master or Slave 
Name Server. The “db.127.0.0” file covers the loopback network by providing a reverse 
mapping for the loopback address on your system. 


Step 1 
Create the following file in /var/named. 


e Create the db.127.0.0 file (touch /var/named/db.127.0.0) and add the following 
lines in the file: 





; Revision History: March 01, 2001 - root@openna.com 

; Start of Authority (SOA) records. 

STTL 86400 

@ IN SOA localhost. root.localhost. ( 
00 ; Serial 
10800 ; Refresh after 3 hours 
3600 ; Retry after 1 hour 
604800 ; Expire after 1 week 
86400 ) ; inimum 

IN NS localhost. 
1 IN PTR localhost. 


Step 2 
Now, we must set the mode permissions of this file to be (0644/-rw-r--r-—) and owned by the 
user ‘named’ for security reason. 


e Tochange the mode permissions and ownership of this file, use the following commands: 
[root@deep /]# chmod 644 /var/named/db.127.0.0 
[root@deep /]# chown named.named /var/named/db.127.0.0 


Primary Master Name Server 

This section applies only if you chose to install and use ISC BIND & DNS as a Primary Name 
Server in your system. The Primary Master Server is the ultimate source of information about a 
domain. The Primary Master is an authoritative server configured to be the source of zone 
transfer for one or more Secondary servers. The Primary Master Server obtains data for the zone 
from a file on disk. 


/etc/named.conf: The ISC BIND & DNS Configuration File 

Use this configuration for the server on your network that acts as a Master Name Server. In every 
respectable networking environment, you need to set up at least a Primary Domain Name Server 
for your network. We'll use “openna.com” as an example domain, and assume you are using IP 

network address of 207.35.78.0. 
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Step 1 
To do this, add the following lines to your /etc/named.conf file. The text in bold are the parts 
of the configuration file that must be customized and adjusted to satisfy our needs. 


e Create the named.conf file (touch /etc/named.conf) and add the following lines in 
the file. Below is what we recommend you: 


options { 
directory "/var/named"; 
allow-transfer { 207.35.78.6; }; 
allow-query { 192.168.1.0/24; 207.35.78.0/24; localhost; }; 
allow-recursion { 192.168.1.0/24; 207.35.78.0/24; localhost; }; 
version "Go away!"; 


}; 


logging { 
category lame-servers { null; }; 


}; 


// Root server hints 
zone "." { type hint; file "db.cache"; }; 


// Provide a reverse mapping for the loopback address 127.0.0.1 
zone "0.0.127.in-addr.arpa" { 

type master; 

file "db.127.0.0"; 

notify no; 


}; 


// We are the master server for OpenNA.com 
zone "openna.com" { 

type master; 

file "db.openna",; 

allow-query { any; }; 
}; 


zone "78.35.207.in-addr.arpa" { 
type master; 
file "db.207.35.78",; 
allow-query { any; }; 
}; 


This tells named. conf file to set itself up for this particular configuration with: 


Options {}; 
The options statement sets up global options to be used by ISC BIND & DNS and may appear 
only once in a configuration file. 


directory “/var/named”; 

The directory statement indicates the working directory of the server and should be an 
absolute path. The working directory is where all configuration files related to ISC BIND & DNS 
resides. 


allow-transfer { 207.35.78.6; }; 

The allow-transfer statement specifies which hosts are allowed to receive zone transfers 
from the Primary/Master Name Server. The default setting of ISC BIND & DNS is to allow 
transfers from all hosts. In the allow-transfer line as shown above, 207.35.78.6 (our 
Secondary/Slave Name Server) is the only IP address allowed to receive zone transfers from the 
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Primary/Master Name Server. You should configure your server to respond to zone transfers 
requests only from authorized IP addresses. In most cases, you'll only authorize your known 
Slave servers to transfer zones from your Primary/Master Name Server. As the information 
provided is often used by spammers and IP spoofers. This is a security feature. 


allow-query { 192.168.1.0/24; 207.35.78.0/24; localhost; }; 

The allow-query statement specifies which hosts are allowed to ask ordinary questions to the 
Primary Name Server. The default setting in the options block is to allow queries from all hosts. 
In our configuration, we wish to allow queries from our subnets (192.168.1.0/24, 
207.35.78.0/32, and localhost). With this restriction, everyone form the Internet can query 
us for the zones that we administer and its reverse, but only internal hosts that we have specified 
in the “allow-—query” statement can make other queries. Take a note that we add the "allow- 
query { any; };" option in each zone statement into the named. conf file to make effective 
this protection. This is a security feature. 


allow-recursion { 192.168.1.0/24; 207.35.78.0/24; localhost; }; 

The allow-recursion statement specifies which hosts are allowed to make recursive queries 
through this server. With the configuration as shown above, we allow recursive queries only from 
internal hosts since allowing every external hosts on the Internet (external hosts will have their 
own name servers) to ask your name server to answer recursive queries can open you up to 
certain kinds of cache poisoning attacks. This is a security feature. 


version "Go away!"; 

The version statement allows us to hide the real version number of our ISC BIND & DNS 
server. This can be useful when some one from the Internet try to scan our Domain Name Server 
for possible vulnerable version of the software. You can change the string “Go away!” to 
whatever you want. Note doing this will not prevent attacks and may impede people trying to 
diagnose problems with your server. This is a security feature. 


notify no; 

DNS Notify is a mechanism that allows Master Name Servers to notify their Slave servers of 
changes to a zone's data. In response to a NOTIFY from a Master Server, the Slave will check to 
see that its version of the zone is the current version and, if not, initiate a transfer. The notify 
statement by default is set to “yes” but since the loopback address 127.0.0.1is the same 
to each system, we must avoid to transfer this localhost configuration file to Secondary/Slave 
Name Server. 








NOTE: You can configure logging so that lame server messages aren't logged, which will reduce 
the overhead on your DNS and syslog servers. Lame server messages are report hosts that are 
believed to be name servers for the given domains, but which do not believe themselves to be 
such. This is often due to a configuration error on the part of that hostmaster. 


You can disable "Lame server" messages by using the logging statement into your named. conf 
file: 
logging { 

category lame-servers { null; }; 


}; 


By the way, some of us also like to disable message like "... points to a CNAME" by adding in the 
logging statement the following line: 


category cname { null; }; 
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Step 2 
Finally, we must set the mode permission of this file to be (0600 /-rw------- ) and owned by 
the user ‘named’ for security reason. 


e To change the mode permission and ownership of the named. conf file, use the 


following commands: 
[root@deep /]# chmod 600 /etc/named.conf 
[root@deep /]# chown named.named /etc/named.conf 


/var/named/db.127.0.0: The reverse mapping File 

Use this configuration file for the server on your network that acts as a Master Name Server. The 
“db.127.0.0” file covers the loopback network by providing a reverse mapping for the loopback 
address on your system. 


Step 1 
Create the following file in /var/named. 


e Create the db.127.0.0 file (touch /var/named/db.127.0.0) and add the following 
lines in the file: 


; Revision History: March 01, 2001 - root@openna.com 
; Start of Authority (SOA) records. 

STTL 172800 

@ IN SOA nsl.openna.com. root.openna.com. ( 


00 ; Serial 

10800 ; Refresh after 3 hours 
3600 ; Retry after 1 hour 
604800 ; Expire after 1 week 
172800 ); inimum TTL of 1 day 





; Name Server (NS) records. 
IN NS nsl.openna.com. 
IN NS ns2.openna.com. 


; only One PTR record. 
ul PTR localhost. 


Step 2 
Now, we must set the mode permissions of this file to be (0644/-rw-r--r-—) and owned by the 
user ‘named’ for security reason. 


e Tochange the mode permission and ownership of this file, use the following commands: 
[root@deep /]# chmod 644 /var/named/db.127.0.0 
[root@deep /]# chown named.named /var/named/db.127.0.0 
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/var/named/db.207.35.78: The host names to addresses mapping File 
Use this configuration file for the server on your network that acts as a Master Name Server. The 
“db.207.35.78” file maps host names to addresses. 


Step 1 
Create the following file in /var/named. 


e Create the db.207.35.78 file (touch /var/named/db.207.35.78) and add the 
following lines in the file: 


; Revision History: March 01, 2001 - root@openna.com 
; Start of Authority (SOA) records. 

STTL 172800 

@ IN SOA nsl.openna.com. root.openna.com. ( 


00 ; Serial 

10800 ; Refresh after 3 hours 
3600 ; Retry after 1 hour 
604800 ; Expire after 1 week 
172800 ); inimum TTL of 1 day 





; Name Server (NS) records. 
I NS nsl.openna.com. 
I NS ns2.openna.com. 


Addresses Point to Canonical Names (PTR) for Reverse lookups 











; t 

1 ne PTR router.openna.com. 
2 ne PTR portal.openna.com. 
3 I PTR www.openna.com. 

4 I PTR smtp.openna.com. 





Step 2 
Now, we must set the mode permission of this file to be (0644/-rw-r--r-——) and owned by the 
user ‘named’ for security reason. 


e Tochange the mode permission and ownership of this file, use the following commands: 
[root@deep /]# chmod 644 /var/named/db.207.35.78 
[root@deep /]# chown named.named /var/named/db.207.35.78 


/var/named/db.openna: The addresses to host names mapping File 
Use this configuration file for the server on your network that acts as a Master Name Server. The 
“db. openna’” file maps addresses to host names. 


Step 1 
Create the following file in /var/named. 


e Create the db.openna file (touch /var/named/db.openna) and add the following 
lines in the file: 


; Revision History: March 01, 2001 - root@openna.com 
; Start of Authority (SOA) records. 

STTL 172800 

@ IN SOA nsl.openna.com. root.openna.com. ( 


00 ; Serial 

10800 ; Refresh after 3 hours 
3600 ; Retry after 1 hour 
604800 ; Expire after 1 week 
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172800 ); Minimum TTL of 1 day 


; Name Server (NS) records. 
IN NS nsl.openna.com. 
IN NS ns2.openna.com. 





; Mail Exchange (MX) records. 
MX 0 smtp.openna.com. 


; Address (A) records. 


localhost IN A 127.0.0.1 

router IN A 2077.35.78 .1 
portal IN A 207. 359:278:52 
www IN A 207.35 578.3 
smtp IN A 207.35.78.4 


Step 2 
Now, we must set the mode permission of this file to be (0644/-rw-r--r-——) and owned by the 
user ‘named’ for security reason. 


e Tochange the mode permission and ownership of this file, use the following commands: 
[root@deep /]# chmod 644 /var/named/db.openna 
[root@deep /]# chown named.named /var/named/db.openna 


Secondary Slave Name Server 

This section applies only if you chose to install and use ISC BIND & DNS as a Secondary Name 
Server in your system. The purpose of a Slave Name Server is to share the load with the Master 
Name Server, or handle the entire load if the Master Name Server is down. A Slave Name 
Server, which is an authoritative server, loads its data over the network from another Name 
Server (usually the Master Name Server, but it can load from another Slave Name Server too). 
This process is called a zone transfer. Slave servers provide necessary redundancy on the 
network. 


/etc/named.conf: The ISC BIND & DNS Configuration File 
Use this configuration for the server on your network that acts as a Slave Name Server. You must 
modify the “named. conf” file on the Slave Name Server host. 


Step 1 

Change every occurrence of primary to secondary except for “O.0.127.in-addr.arpa” and 
add a masters line with the IP address of the Master Server as shown below. The text in bold are 
the parts of the configuration file that must be customized and adjusted to satisfy our needs. 


e Create the named.conf file (touch /etc/named.conf) and add the following lines in 
the file. Below is what we recommend you: 


options { 
directory "/var/named"; 
allow-transfer { none; }; 
allow-query { 192.168.1.0/24; 207.35.78.0/24; localhost; }; 
allow-recursion { 192.168.1.0/24; 207.35.78.0/24; localhost; }; 
version "Go away!"; 


}; 


logging { 
category lame-servers { null; }; 
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}; 


// Root server hints 
zone "." { type hint; file "db.cache"; }; 


// Provide a reverse mapping for the loopback address 127.0.0.1 
zone "0.0.127.in-addr.arpa" { 

type master; 

file "db.127.0.0"; 

notify no; 


}; 


// We are a slave server for OpenNA.com 
zone "openna.com" { 
type slave; 
file "db.openna",; 
masters { 207.35.78.5; }; 
allow-query { any; }; 
}; 


zone "78.35.207.in-addr.arpa" { 
type slave; 
file "db.207.35.78",; 
masters { 207.35.78.5; }; 
allow-query { any; }; 

}; 


The above named. conf file tells the Secondary Name Server that it is a Slave Server for the 
zone “openna.com’” and should track the version of this zone that is being kept on the host 
“207.35.78.5”, which is the Master Name Server in the network. 








NOTE: A Slave Name Server doesn’t need to retrieve all of its database (db) files over the network 
because these db files “db.127.0.0” and “db. cache” are the same as on a Primary Master, so 
you can keep a local copy of these files on the Slave Name Server. 


You can configure logging so that lame server messages aren't logged, which will reduce the 

overhead on your DNS and syslog servers. Lame server messages are report hosts that are 

believed to be name servers for the given domains, but which do not believe themselves to be 
such. This is often due to a configuration error on the part of that hostmaster. 


You can disable "Lame server" messages by using the logging statement into your named. conf 
file: 
logging { 

category lame-servers { null; }; 


}; 


By the way, some of us also like to disable message like "... points to a CNAME" by adding in the 
logging statement the following line: 


category cname { null; }; 
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Step 2 
Finally, we must set the mode permissions of this file to be (0600 /-rw------- ) and owned by 
the user ‘named’ for security reason. 


e To change the mode permission and ownership of the named. conf file, use the 
following commands: 
[root@deep /]# chmod 600 /etc/named.conf 
[root@deep /]# chown named.named /etc/named.conf 


/var/named/db.127.0.0: The reverse mapping File 

Use this configuration file for the server on your network that acts as a Slave Name Server. The 
“db.127.0.0” file covers the loopback network by providing a reverse mapping for the loopback 
address on your system. 


Step 1 
Create the following file in /var/named. 


e Create the db.127.0.0 file (touch /var/named/db.127.0.0) and add the following 
lines in the file: 


; Revision History: March 01, 2001 - root@openna.com 
; Start of Authority (SOA) records. 

STTL 172800 

@ IN SOA nsl.openna.com. root.openna.com. ( 


00 ; Serial 

10800 ; Refresh after 3 hours 
3600 ; Retry after 1 hour 
604800 ; Expire after 1 week 
172800 ); inimum TTL of 1 day 





; Name Server (NS) records. 
IN NS nsl.openna.com. 
IN NS ns2.openna.com. 


; only One PTR record. 
1 PTR localhost. 


Step 2 
Now, we must set the mode permissions of this file to be (0644/-rw-r--r-—) and owned by the 
user ‘named’ for security reason. 


e Tochange the mode permission and ownership of this file, use the following commands: 
[root@deep /]# chmod 644 /var/named/db.127.0.0 
[root@deep /]# chown named.named /var/named/db.127.0.0 
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/var/named/db.cache: The Root server hints File 

This section applies for all tyoe of Name Server (Caching, Master or Slave) that you may want to 
install in your system. The db. cache file is also Know as the “Root server hints file” and tells 
your server (Caching, Master or Slave) where the servers for the “root” zone are, you must get a 
copy of db. cache file and copy this file into the /var/named directory. 


Step 1 
Use the following commands on another Unix computer in your organization to query a new 
db . cache file for your Name Servers or pick one from your Linux CD-ROM source distribution: 


e To query anew db.cache file, use the following command: 
[root@deep]# dig @a.root-servers.net . ns > db.cache 


e To query anew db.cache file by IP address, use the following command: 
[root@deep]# dig @198.41.0.4 . ns > db.cache 


Don’t forget to copy the db. cache file to the /var/named directory on your Name Server after 
retrieving it over the Internet. 








NOTE: The root name servers do not change very often, but they do change. A good practice is to 
update your db. cache file every month or two. 





Step 2 
Now, we must set the mode permission of this file to be (0644/-rw-r--r-——) and owned by the 
user ‘named’ for security reason. 


e Tochange the mode permission and ownership of this file, use the following commands: 
[root@deep /]# chmod 644 /var/named/db.cache 
[root@deep /]# chown named.named /var/named/db.cache 


/etc/sysconfig/named: The ISC BIND & DNS System Configuration File 
This section applies for all tyoe of Name Server (Caching, Master or Slave) that you may want to 
install in your system. The /etc/sysconfig/named file is used to specify ISC BIND & DNS 
system configuration information, such as if ISC BIND & DNS should run in a chroot environment, 
and if additional options are required to be passed to named daemon at startup. 


e Create the named file (touch /etc/sysconfig/named) and add the following lines: 


# Currently, you can use the following options: 
#ROOTDIR="" 
#OPTIONS="" 


The “ROOTDIR=""” option instructs ISC BIND & DNS where its root directory should be located, 
this line is useful when you want to run ISC BIND & DNS in an chroot jail environment for more 
security. For now, this line must be commented out since we'll see later in this chapter how to run 
ISC BIND & DNS in achroot environment and how to use this option. 
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As usual with many daemons under Unix, we can add special options to the command line before 
starting the daemons. With the new system V feature of Linux most of command line options can 
now be specified in config files like the one above. The “OPTIONS=""” parameter in the 
/etc/sysconfig/named file is for this use for ISC BIND & DNS. We can for example add the “- 
a” option for debug level of ISC BIND & DNS but in most cases we don’t need to use it. 


/etc/re.d/init.d/named: The ISC BIND & DNS Initialization File 

This section applies for all tyoe of Name Server (Caching, Master or Slave) that you may want to 
install in your system. The /etc/rc.d/init.d/named script file is responsible to automatically 
starting and stopping the ISC BIND & DNS daemon on your server. Loading the named daemon, 

as a standalone daemon will eliminate load time and will even reduce swapping since non-library 
code will be shared. 


Step 1 
Create the named script file (touch /etc/rce.d/init.d/named) and add the following lines 
inside it: 


!/bin/bash 


named This shell script takes care of starting and stopping 
named (BIND DNS server). 


chkconfig: = 55 45 

description: named (BIND) is a Domain Name Server (DNS) \ 
that is used to resolve host names to IP addresses. 
probe: true 


Source function library. 
/etc/re.d/init.d/functions 


Source networking configuration. 
/etc/sysconfig/network 


Check that networking is up. 
"S{NETWORKING}" = "no" ] && exit 0 





-f /etc/sysconfig/named ] && . /etc/sysconfig/named 








-f /usr/sbin/named ] || exit 0 

-£ "S{ROOTDIR}"/etc/named.conf ] || exit 0 
RETVAL=0 
start() { 





# Start daemons. 

echo -n "Starting named: 

if [ -n "S{ROOTDIR}" -a "x${ROOTDIR}" != "x/" ]; then 
OPTIONS="S${OPTIONS} -t ${ROOTDIR}" 

















fi 

daemon named -u named S{OPTIONS} 

RETVAL=S? 

[ SRETVAL -eq 0 ] && touch /var/lock/subsys/named 
echo 


return SRETVAL 





} 
stop() { 
# Stop daemons. 


echo -n "Shutting down named: " 
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killproc named 
RETVAL=$? 
[ SRETVAL -eq 0 ] && rm -f /var/lock/subsys/named 
echo 


return SRETVAL 





} 
restart() { 
stop 
Slat 
} 
reload() { 
/usr/sbin/rndc reload 
return $? 


probe() { 
/usr/sbin/rndc reload >/dev/null 2>&1 || echo start 
return $? 


# S how we were called. 
case "S1" in 





start) 

start 

ad 
stop) 

stop 

a 
restart) 

restart 

a 
condrestart) 

[ -£ /var/lock/subsys/named ] && restart 

i? 
reload) 

reload 

a 
probe) 

probe 


a 
*) 
echo "Usage: named 
{start|stop|restart|condrestart |reload|probe}" 
exit 1 
esac 


exit $? 
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Step 2 

Once the named script file has been created, it is important to make it executable, change its 
default permissions, create the necessary links and start it. Making this file executable will allow 
the system to run it, changing its default permission is to allow only the root user to change this 
file for security reasons, and the creation of the symbolic links will let the process control 
initialization of Linux, which is in charge of starting all the normal and authorized processes that 
need to run at boot time on your system, to start the program automatically for you at each boot. 


e To make this script executable and to change its default permissions, use the commands: 
root@deep / chmod 700 /etc/re.d/init.d/named 
root@deep / chown 0.0 /etc/re.d/init.d/named 


e Tocreate the symbolic rc.d links for ISC BIND & DNS, use the following commands: 
root@deep / chkconfig --add named 
root@deep / chkconfig --level 2345 named on 


e Tostart ISC BIND & DNS software manually, use the following command: 
root@deep / /etc/re.d/init.d/named start 
Starting named: [OK] 























NOTE: All the configuration files required for each software described in this book has been 
provided by us as a gzipped file, floppy-—2.0.tgz for your convenience. This can be 
downloaded from this web address: ftp://ftp.openna.com/ConfigFiles-v2.0/floppy-2.0.tgz. You can 
unpack this to any location on your local machine, say for example /var/tmp, assuming you 
have done this your directory structure will be /var/tmp/floppy-2.0. Within this floppy 
directory each configuration file has its own directory for respective software. You can either cut 
and paste this directly if you are faithfully following our instructions from the beginning or 
manually edit these to modify to your needs. This facility is there though as a convenience but 
please don't forget ultimately it will be your responsibility to check, verify, etc. before you use 
them whether modified or as it is. 





Running ISC BIND & DNS in a chroot jail 

This part focuses on preventing ISC BIND & DNS from being used as a point of break-in to the 
system hosting it. Since ISC BIND « DNS performs a relatively large and complex function, the 
potential for bugs that affect security is rather high with this software. In fact, there have been 
many exploitable bugs in the past that allowed a remote attacker to obtain root access to hosts 
running ISC BIND & DNS. 


To minimize this risk, ISC BIND & DNS can be run as a non-root user, which will limit any 
damage to what can be done as a normal user with a local shell. Of course, this is not enough for 
the security requirements of most DNS servers, so an additional step can be taken - that is, 
running ISC BIND & DNS in a chroot jail. 


The main benefit of a chroot jail is that the jail will limit the portion of the file system the DNS 
daemon program can see to the root directory of the jail. Additionally, since the jail only needs to 
support DNS, the programs related to ISC BIND & DNS available in the jail can be extremely 
limited. Most importantly, there is no need for setuid-root programs, which can be used to gain 
root access and break out of the jail. 
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DNS in chroot jail 





Our chroot jail that host ISC BIND/DNS 
Server and owned by the user "named" 





Our file system on Linux 


This is our chroot jail bubble, which handle a small copy of our 
Linux file system structure for ISC BIND/DNS 
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Necessary steps to run ISC BIND & DNS software in a chroot jail: 

What you're essentially doing is creating a skeleton root file system with enough components 
necessary (directories, files, etc.) to allow Unix to do a chroot when the ISC BIND & DNS daemon 
starts. Contrary to its predecessor (Bind8), Bind is far more easily to setup in a chroot jail 
environment. Now there is no need to copy shared library dependencies of named binary as well 
as binaries programs to the jail. All you have to do is to copy its configuration file with its zone 
files and instruct its daemon process to chroot to the appropriate chroot directory before starting. 


Step 1 

The first step to do for running ISC BIND & DNS in a chroot jail will be to set up the chroot 
environment, and create the root directory of the jail. We've chosen /chroot /named for this 
purpose because we want to put this on its own separate file system to prevent file system 
attacks. Early in our Linux installation procedure we created a special partition /chroot for this 
exact purpose. 














root@deep / /etc/re.d/init.d/named stop € Only if named daemon already run. 
Shutting down named: [OK] 

root@deep / mkdir -p /chroot/named 

root@deep / mkdir -p /chroot/named/etc 

root@deep / mkdir -p /chroot/named/var/run/named 

root@deep / mkdir -p /chroot/named/var/named 

root@deep / chown -R named.named /chroot/named/var/run/named/ 
root@deep / chown -R named.named /chroot/named/var/named/ 


We need all of the above directories because, from the point of the chroot, we're sitting at “/” and 
anything above this directory is inaccessible. 








WARNING: The owner of the /chroot /named/var/named directory and all files into this 
directory must be owned by the process called “named”. 





Step 2 
After that, we must move the main configuration files of ISC BIND & DNS into the appropriate 
places in the chroot jail. This includes the named. conf file and all zone files. 


root@deep /]# mv /etc/named.conf /chroot/named/etc/ 

root@deep /]# cd /var/named; mv * /chroot/named/var/named/ 
root@deep named]# chown named.named /chroot/named/etc/named.conf 
root@deep named]# chown -R named.named /chroot/named/var/named/* 


[ 
[ 
[ 
[ 


Step 3 
You will also need the /etc/localtime file in your chroot jail structure so that log entries are 
adjusted for your local time zone properly. 


[root@deep named]# cp /etc/localtime /chroot/named/etc/ 
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Step 4 
Now we must set the named. conf file in the chroot jail directory immutable bit for better security. 


e This procedure can be accomplished with the following commands: 
[root@deep named]# ed /chroot/named/etc/ 
[root@deep etc]# chattr +i named.conf 








WARNING: Don’t forget to remove the immutable bit on these files if you have some modifications 
to bring to them with the command “chattr —-i”. 





Step 5 

Once the required files to run ISC BIND & DNS in the chroot jail environment have been 
relocated, we can remove the unnecessary directories related to ISC BIND & DNS from the 
system since the ones we'll work with now on a daily basis are located under the chroot directory. 
These directories are /var/named and /var/run/named. 


[root@deep /]# rm -rf /var/named/ 
[root@deep /]# rm -rf /var/run/named/ 


Step 6 
After that, it is time to instruct ISC BIND & DNS to start in the chroot jail environment. The 
/etc/sysconfig/named file is used for this purpose. 


e =6Edit the named file (vi /etc/sysconfig/named) and change the following lines 


# Currently, you can use the following options: 
#ROOTDIR="" 
#OPTIONS="" 


To read: 


# Currently, you can use the following options: 
ROOTDIR="/chroot/named/" 


The “ROOTDIR="/chroot/named/"” option instructs ISC BIND & DNS where the chroot 
directory is located. Therefore the named daemon reads this line in the 
/etc/sysconfig/named file and chroot to the specified directory before starting. 


Step 7 
Finally, we must test the new chrooted jail configuration of our ISC BIND & DNS server. 


e Start the new chrooted jail ISC BIND «& DNS with the following command: 
[root@deep /]# /etce/re.d/init.d/named start 
Starting named: [OK] 


e If you don't get any errors, do aps ax | grep named and see if we're running: 
[root@deep /]# ps ax grep named 


| 
4278 ? S 0:00 named -u named -t /chroot/named/ 
4279 ? S 0:00 named -u named -t /chroot/named/ 
4280 ? S 0:00 named -u named -t /chroot/named/ 
4281 ? S 0:00 named -u named -t /chroot/named/ 
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If so, lets check to make sure it's chrooted by picking out one of its process numbers and doing 
ls -la /proc/that_process_number/root/. 


[root@deep /]# 1s -la /proc/4278/root/ 


If you see something like: 
total 4 


drwxrwxr-x 4 root root 1024 Feb 22 16:23 . 
drwxr-xr-x 4 root root 1024 Feb 22 14:33 .. 
drwxrwxr-x 2 root root 1024 Feb 22 15:52 etc 
drwxrwxr-x 4 root root 1024 Feb 22 14:34 var 


Congratulations! Your ISC BIND & DNS in chroot jail is working. 


Securing ISC BIND & DNS 

This section deals especially with actions we can make to improve and tighten security under ISc 
BIND & DNS. The interesting points here are that we refer to the features available within the base 
installed program and not to any additional software. 


TSIG based transaction security with BIND 

This section applies only if you chose to install and use ISC BIND & DNS as a Master or Slave 
Name Server in your system. The new BIND9 which is a major rewrite of almost all aspects of the 
underlying BIND architecture allows us to create transaction keys and use Transaction 
SlGnatures (TSIG) with ISC BIND & DNS (TSIG is used for signed DNS requests). 


This means that if the server receives a message signed by this key, it can verify the signature. If 
the signature succeeds, the same key signs the response. 


This new feature of BIND will allow us to have a better control about who can make a zone 
transfer, notify, and recursive query messages on the DNS server. It might be useful for dynamic 
updates too. Below, we show you all the required steps to generate this key and how to use it in 
your named. conf file. 


Step 1 

The first step will be to generate shared keys for each pair of hosts. This shared secret will be 
shared between Primary Domain Name Server and Secondary Domain Name Server and an 
arbitrary key name must be chosen like in our example "ns1-ns2". It is also important that the 
key name be the same on both hosts. 


e To generate shared keys, use the following command: 
[root@deep /]# dnssec-keygen -a hmac-md5 -b 128 -n HOST nsil-ns2 
Knsl-ns2.+157+49406 
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Step 2 

The above command will generate a 128 bit (16 byte) HMAC-—MD5 key and the result will be ina 
file called “Kns1-ns2.+157+49406.private’” with a base-64 encoded string following the 
word "Key:", which must be extracted from the file and used as a shared secret. 


e Edit the Kns1-ns2 .+157+49406.private file (vi Kns1- 
ns2.+157+49406.private), and extract the base-64 encoded string: 


Private-key-format: v1.2 
Algorithm: 157 (HMAC_MD5) 
Key: psljy3f7czValVNZkYaLfw== 


The string "psljy3f7czValVNZkYaLfw==" in the above example is the part of this file that must 
be extracted and used as the shared secret. 


Step 3 

Once the required base-64 encoded string has been extracted from the generated file, we can 
remove the files from our system and copy the shared secret to both machines via a secure 
transport mechanism like ssh, telephone, etc. 


e To remove the generated files from the system, use the following commands: 
[root@deep /]# rm -£ Knsl-ns2.+157+49406.key 
[root@deep /]# rm -£ Knsl-ns2.+157+49406.private 


Step 4 
After that, it is time to inform the servers (Primary & Secondary) of the Key's existence by adding 
to each server's named. conf file the following parameters. 


e Edit the named.conf file (vi /chroot/named/etc/named. conf) on both DNS 
servers, and add the following lines: 


key nsl-ns2 { 
algorithm hmac-md5; 
secret "psljy3f7czValVNZkYaLfw=="; 


}; 


Once the above lines have been added, your named. conf file on both DNS servers (Primary & 
Secondary) should look something like: 
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For Primary/Master server: 


key nsl-ns2 { 
algorithm hmac-md5; 
secret "psljy3f7czValVNZkYaLfw=="; 


}; 


options { 
directory "/var/named"; 
allow-transfer { 207.35.78.6; }; 
allow-query { 192.168.1.0/24; 207.35.78.0/32; localhost; }; 
allow-recursion { 192.168.1.0/24; 207.35.78.0/32; localhost; }; 
version "Go away!"; 


}; 


logging { 
category lame-servers { null; }; 


}; 


// Root server hints 
zone "." { type hint; file "db.cache"; }; 


// Provide a reverse mapping for the loopback address 127.0.0.1 
zone "0.0.127.in-addr.arpa" { 

type master; 

file "db.127.0.0"; 

notify no; 


}; 





// We are the master server for openna.com 
zone "openna.com" { 

type master; 

file "db.openna"; 

allow-query { any; }; 


}; 


zone "78.35.207.in-addr.arpa" { 
type master; 
file "db.207.35.78"; 
allow-query { any; }; 


}; 
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For Secondary/Slave server: 


}; 


key nsl-ns2 { 
algorithm hmac-md5; 
secret "psljy3f7czValVNZkYaLfw=="; 


}; 


options { 
directory "/var/named"; 
allow-transfer { none; }; 
allow-query { 192.168.1.0/24; 207.35.78.0/32; localhost; }; 
allow-recursion { 192.168.1.0/24; 207.35.78.0/32; localhost; 
version "Go away!"; 


}; 


logging { 
category lame-servers { null; }; 


}; 


// Root server hints 
zone "." { type hint; file "db.cache"; }; 


// Provide a reverse mapping for the loopback address 127.0.0.1 
zone "0.0.127.in-addr.arpa" { 

type master; 

file "db.127.0.0"; 

notify no; 


}; 


// We are a slave server for openna.com 
zone "openna.com" { 
type slave; 
file "db.openna"; 
masters { 207.35.78.5; }; 
allow-query { any; }; 


}; 


zone "78.35.207.in-addr.arpa" { 
type slave; 
file "db.207.35.78"; 
masters { 207.35.78.5; }; 
allow-query { any; }; 


}; 
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Step 5 

One of the last steps is to instruct the both servers (Primary & Secondary) to Use the Key. The 
servers must be told when keys are to be used. Adding another parameter into the named. conf 
file on both DNS servers does this. Into this parameter, on ns1 we add the IP address of ns2 and 


on ns2 we add the IP address of ns1. 


e Edit the named.conf file (vi /chroot/named/etc/named. conf) on both DNS 
servers, and add the following lines: 


server x.x.x.x { 
keys { nsl-ns2 ;}; 
hi 


Where x.x.x.x is the IP address. 


Once the above lines have been added, your named. conf file on both DNS servers (Primary & 
Secondary) should look something like: 


For Primary/Master server: 


key nsl-ns2 { 
algorithm hmac-md5; 
secret "psljy3f7czValVNZkYaLfw=="; 


}; 


server 207.35.78.6 { 
keys { nsl-ns2 ;}; 
}; 


options { 
directory "/var/named"; 
allow-transfer { 207.35.78.6; }; 
allow-query { 192.168.1.0/24; 207.35.78.0/32; localhost; }; 
allow-recursion { 192.168.1.0/24; 207.35.78.0/32; localhost; }; 
version "Go away!"; 


}; 


logging { 
category lame-servers { null; }; 


}; 


// Root server hints 
zone "." { type hint; file "db.cache"; }; 


// Provide a reverse mapping for the loopback address 127.0.0.1 
zone "0.0.127.in-addr.arpa" { 

type master; 

file "db.127.0.0"; 

notify no; 


}; 





// We are the master server for openna.com 
zone "openna.com" { 

type master; 

file "db.openna"; 

allow-query { any; }; 


}; 


zone "78.35.207.in-addr.arpa" { 
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type master; 
file "db.207.35.78"; 
allow-query { any; }; 


}; 


For Secondary/Slave server: 


}; 


key nsi-ns2 { 
algorithm hmac-md5; 
SScrec 
}; 
server 207.35.78.5 { 
keys { nsl-ns2 ;}; 
}; 


options { 


directory "/var/named"; 


allow-transfer { none; 


allow-query { 192.168.1.0/24; 
allow-recursion { 192.168.1.0/24; 


version "Go away!"; 


}; 


logging { 
category lame-servers 


}; 


// Root server hints 


zone "." { type hint; file 
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"psljy3f7czValVNZkYaLfiw=="; 


}; 
207.35.78.0/32; localhost; }; 
207.35.78.0/32; localhost; 


{ null; }; 


"db.cache"; }; 


// Provide a reverse mapping for the loopback address 127.0.0.1 


zone "0.0.127.in-addr.arpa" { 
type master; 
file "db.127.0.0"; 
notify no; 


}; 


// We are a slave server for openna.com 


"openna.com" { 
type slave; 
file "db.openna"; 
masters { 207.35.78.5; 
allow-query { any; }; 


zone 


}; 


zone "78.35.207.in-addr.arpa" 
type slave; 
file, "db...207.35..738"; 
masters { 207.35.78.5; 
allow-query { any; }; 


hi 


{ 


}; 


hi 
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Step 6 
Finally, since the named. conf file now handles a secret key, it is recommended that 
named.conf (on Primary & Secondary servers) be non-world readable. 


e This procedure can be accomplished with the following command on Primary server: 
[root@deep /]# chmod 600 /chroot/named/etc/named. conf 


e This procedure can be accomplished with the following command on Secondary server: 
[root@deep /]# chmod 600 /chroot/named/etc/named. conf 


Restart your DNS server on both sides for the changes to take effect. 


e Restart ISC BIND & DNS with the following command on both DNS servers: 
[root@deep /]# /etce/re.d/init.d/named restart 
Shutting down named: [OK] 
Starting named: [OK] 








WARNING: With TSTG feature enable on your DNS server, it is important to be sure that the clocks 
on the client and server are synchronized. TSIGs include a timestamp to reduce the potential for 
replay attacks. If the client and server's clocks are out by too much, TSIG validations will 
inevitably fail. 





Using TSIG key based access control to make a zone transfer 

This section applies only if you chose to install and use ISC BIND & DNS as a Master or Slave 
Name Server in your system. Once the TS1G feature has been configured and enabled in your 
DNS server, we can use it to improve security on the system. 


One improvement can be made with the allow-transfer statement of ISC BIND & DNS. 
Usually, we configure our Primary/Master Domain Name Server to respond to zone transfers 
requests only from authorized IP addresses. In most cases, we'll only authorize our known 
Secondary/Slave Domain Name Servers. The same technique as described here can also be 
used for dynamic update, notify, and recursive query messages. 


With BIND9, we do that within a zone phrase in the Primary Name Server with a directive like 
“allow-transfer { 207.35.78.6; };”, but with the sharing of keys between ns1 and ns2 
like we previously did, we have extended the possibility of our named. conf file to allow TSIG 
keys and can use this feature to modify the allow-transfer directive, which will improve 
security of zone transfer between ns1 and ns2. 


e To use TSIG key based access control to make a zone transfer between Primary DNS & 
Secondary DNS, edit your named. conf file on the Primary/Master Domain Name Server 
(vi /chroot/named/etc/named.conf) and change the line: 


allow-transfer { 207.35.78.6; }; 


To Read: 


allow-transfer { key nsl-ns2; }; 
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This allows zone transfer to succeed only if a key named “ns1-ns2” signed the request, which 
only your Primary & Secondary DNS known and handle in their named. conf file. 


Once the above line has been modified, your named. conf file on the Primary/Master server 
should look something like: 


key nsi-ns2 { 

algorithm hmac-md5; 

secret "psljy3f7czValVNZkYaLfiw=="; 
}; 


server 207.35.78.6 { 
keys { nsl-ns2 ;}; 
}; 


options { 
directory "/var/named"; 
allow-transfer { key nsl-ns2; }; 
allow-query { 192.168.1.0/24; 207.35.78.0/32; localhost; }; 
allow-recursion { 192.168.1.0/24; 207.35.78.0/32; localhost; }; 
version "Go away!"; 


}; 


logging { 
category lame-servers { null; }; 


}; 


// Root server hints 
zone "." { type hint; file "db.cache"; }; 


// Provide a reverse mapping for the loopback address 127.0.0.1 
zone "0.0.127.in-addr.arpa" { 

type master; 

file "db.127.0.0"; 

notify no; 


}; 


// We are the master server for openna.com 
zone "openna.com" { 

type master; 

file "db.openna"; 

allow-query { any; }; 





}; 


zone "78.35.207.in-addr.arpa" { 
type master; 
file "db.207.35.78"; 
allow-query { any; }; 


}; 
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WARNING: If you Use BIND9's dynamic update functionality, you'll also want to restrict zone 
updates to authorized IP addresses and you'd probably do this in the zone phrase. Note that if 
you don't specify an al low-update option, updates are not allowed for that zone, so you'll only 
need to do this if you actually use dynamic update. 


zone “openna.com" { 
type master; 
file "db.openna"; 
allow-update { key nsl-ns2; }; 
allow-query { any; }; 





Using encryption algorithm for the name server control utility rndc 

This section applies for all type of ISC BIND & DNS. The BIND9 utility for controlling the name 
server, rndc, has its own configuration file /etc/rndc.conf, which also required a TSIG key to 
work. The name server must be configured to accept rndc connections and to recognize the key 
specified in the rndc.conf file, using the controls statement in named. conf. Below are the 
procedures to follow before using rndc on your system. 


Step 1 
The first step will be to generate shared keys. This shared secret key will be included into 
/etc/rndc.conf file and /chroot/named/etc/named.conf file. 


e To generate a random shared key, use the following command: 
[root@deep /]# dnssec-keygen -a hmac-md5 -b 128 -n user rndc 
Krndc.+157+36471 


Step 2 

The above command will generate a 128 bit (16 byte) HMAC-MD5 key and the result will be ina 
file called “Krndc.+157+36471.private” with a base-64 encoded string following the word 
"Key :", which must be extracted from the file and used as a shared secret. 


e =6Edit the Krnde.+157+36471.private file (Vi Krndc.+157+36471.private), and 
extract the base-64 encoded string: 


Private-key-format: v1.2 
Algorithm: 157 (HMAC_MD5) 
Key: 9kKMJEIB5ikRJ6NSwt XWWVg== 





The string "9kMjJEIB5ikRJ6NSwt XWWVg==" in the above example is the part of this file that must 
be extracted and used as the shared secret. 





Step 3 

Once the required base-64 encoded string has been extracted from the generated file, we can 
remove the files from our system and copy the shared secret to both rndc. conf and 
named.conf files. 


e To remove the generated files from the system, use the following commands: 
[root@deep /]# rm -£ Krndc.+157+36471.key 
[root@deep /]# rm -£ Krndc.+157+36471.private 
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Step 4 
After that, we must edit the rndc.conf file and configure it with the key. 


e §=6Edit the rndc.conf file (vi /etc/rndc.conf), and add the following lines: 


options { 
default-server localhost; 
default-—key "localkey"; 


}; 


server localhost { 
key "localkey"; 


}; 


key "localkey" { 
algorithm hmac-—md5; 
secret "9kMjJEIB5ikRJ6NSwt XWWVg=="; 


}; 


In the above example, rndc will by default use the server at localhost (127.0.0.1) and the key 
called Llocalkey. Commands to the localhost server will use the localkey key. The key 
statement indicates that localkey uses the HMAC-MD5 algorithm and its secret clause contains 
the base-64 encoding of the HMAC-MD5 secret enclosed in double quotes. 


Step 5 
Also don’t forget to edit the named. conf file and configure it with the key. 


e Edit the named.conf file (vi /chroot/named/etc/named. conf), and add the lines: 


key nsi-ns2 { 
algorithm hmac-md5; 
secret "psljy3f7czValVNZkYaLfw=="; 


}; 


server 207.35.78.6 { 
keys { nsl-ns2 ;}; 
}; 


key localkey { 
algorithm hmac-md5; 
secret "9kMjJEIB5ikRJ6NSwt XWWVg=="; 


}; 


controls { 
inet 127.0.0.1 allow { 127.0.0.1; } keys { localkey; }; 


}; 





options { 
directory "/var/named"; 
allow-transfer { key nsl-ns2; }; 
allow-query { 192.168.1.0/24; 207.35.78.0/32; localhost; }; 
allow-recursion { 192.168.1.0/24; 207.35.78.0/32; localhost; }; 
version "Go away!"; 

hi 

logging { 


category lame-servers { null; }; 
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}; 


// Root server hints 
zone "." { type hint; file "db.cache"; }; 


// Provide a reverse mapping for the loopback address 127.0.0.1 
zone "0.0.127.in-addr.arpa" { 

type master; 

file "db.127.0.0"; 

notify no; 


}; 


// We are the master server for openna.com 
zone "openna.com" { 

type master; 

file "db.openna"; 

allow-query { any; }; 





}; 


zone "78.35.207.in-addr.arpa" { 
type master; 
file "db.207.35.78"; 
allow-query { any; }; 


}; 


In the above example, rndc connection will only be accepted at localhost (127.0.0.1). 


Step 6 
Finally, it is important to restart your DNS server for the changes to take effect. 


e Restart ISC BIND & DNS with the following command: 
[root@deep /]# /etce/re.d/init.d/named restart 
Shutting down named: [OK] 
Starting named: [OK] 








WARNING: Using the encryption algorithm for the name server control utility rndc doesn’t work 
with the lwresd.conf file. It only work with named. conf file and not with Lwresd.conf. 





DNSSEC Cryptographic authentication of DNs information 

This section applies only if you chose to install and use ISC BIND & DNS as a Master or Slave 
Name Server in your system. The BIND9 release of ISC BIND & DNS includes and support 
validation of DNSSEC (DNS Security) signatures in responses but should still be considered 
experimental. The DNSSEC feature of BIND9 is used for signed zones, what DNSSEC do is to 
make sure that the DNS communication taking place is with the correct server, and that the 
information has not been tampered with during transport. This allows protection of Internet-wide 
DNS transfers, cache pollution, and will protect you from someone trying to spoof your DNS 
servers. 











But be aware that DNSSEc is NOT for every kind of Name Server. DNSSEC verifies that the data 
received by a resolver is the same as the data published. For it to do anything, your resolver must 
be configured to verify data. Signing a localhost zone like for Caching-Only or Secondary/Slave 
Name Server is not useful, since it's not traveling over an insecure network. Signing data in 
general doesn't help you; it guarantees that anyone that gets data from your server can verify its 
correctness, if they've configured their resolver to do so. 
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Each zone (domain) in the DNs will need to have a key pair. The zone's public key will be 
included in its resource records. The zone's private key will be kept securely by the administrator 
of the zone, and never given to anyone outside your organization. Below, | show you all the 
required steps for the creation and use of DNSSEC signed zones. 





In our example we assume that you want to use the DNSSECc feature for your Primary/Master 
Name Server with your parent zone (i.e. . COM) over the Internet. All commands listed below are 
assumed to be made in the /chroot /named/var/named directory since the DNSSEC tools 
require that the generated key files will be in the working directory. 








Step 1 

As usual in the cryptography area, the first step will be to generate a key pair. The generated 
zone keys here, will produce a private and public key to be used to sign records for the related 
zones in question and the zone keys must have the same name as the zone like in our example 
"openna.com". The resulting public keys should later be inserted into the related zone file with 
the SINCLUDE statements. 


e To generate a 1024 bit DSA key for the openna.com zone, use the following command: 
[root@deep /]# ed /chroot/named/var/named/ 
[root@deep named]# dnssec-keygen -a DSA —-b 1024 -n ZONE openna.com 
Kopenna.com.+003+28448 


The above command will generate a 1024 bit DSA key for the openna.com zone and two output 
files will be produced: “Kopenna.com.+003+28448.key” and 
“Kopenna.com.+003+28448.private”. The private key will be used to generate signatures, 
and the public key will be used for signature verification. 





Step 2 

Once the zone keys have been generated as shown previously, a keyset must be built and 
transmitted to the administrator of the parent zone in question to sign the keys with its own zone 
key. It is important that when building a keyset, at least the following information be included in 
the generation of the key: the TTL (Time To Live) of the keyset must be specified, and the 
desired signature validity period of the parent's signature may also be specified. 


e To generate a keyset containing the previous key, use the following command: 
[root@deep named]# dnssec-makekeyset -t 3600 -e +864000 \ 
Kopenna.com.+003+28448 
keyset-openna.com. 


The above command generates a keyset containing the previous key with a TTL of 3600 anda 
signature validity period of 10 days (864000) starting from now to an output file called "keyset- 
openna.com.". This file should be transmitted to the parent to be signed. It includes the keys, 
as well as signatures over the keyset generated by the zone keys themselves, which are used to 
prove ownership of the private keys and encode the desired validity period. 


Step 3 

After that, the administrator on the parent zone (in our case .COM since our zone is 
openna.com) should receive the keyset files for each of your secure zones (in our example: 
keyset-—openna.com.) and must sign the keys with its own private key. This is the step that 
permits others on the net to determine that the resource records that they receive from your zone 
are really from you. 
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e The administrator of your parent zone will sign the keyset with its zone keys by using 
something like the following command: 
[root@internic named]# dnssec-signkey keyset-openna.com. \ 
KA .COM. +0034+31877 
signedkey-openna.com. 


One output file called "signedkey-openna.com." will be produced. This file should be both 
transmitted back to the destinataire and retained. It will include all keys from the keyset file and 
signatures generated by this zone's zone keys. 








WARNING: Take a note that in our example “KA.COM.+003+31877” is the key for the “A.COM” 
zone file, which is our parent zone. Olafur Gudmundsson <ogud@ogud.com> has informed me 
that . CoM is not there yet, but what you SHOULD do is to contact your registrar and notify them 
that you MUST have your key set signed by .com ASAP and when they expect that to happen. 
Verisign Global Registry has indicated that they want to start signing .comM sometime this year, 
but check with them what the current plans are. 





To summarize our procedures : 


We have generated a key pair for our zone file in step 1. 

We have build and transmit a keyset to our parent zone for signing in step 2. 
Administrator in the parent zone signs our keyset with its private key. 
Administrator in the parent zone transmits back our ketset after singing it. 


ANNAN 


Step 4 

Ok, from now if we recall what we said before is that the public keys should be inserted into the 
related zone file with the SINCLUDE statements, then at this step, we must insert the public key 
(Kopenna.com.+003+28448.key) into the related zone file, which is in our example the zone 
file called db. openna located under /chroot/named/var/named directory. 


e Edit the db. openna zone file (vi /chroot/named/var/named/db.openna), and 
add the following line to your default zone file: 


; Revision History: March 01, 2001 - root@openna.com 
; Start of Authority (SOA) records. 

STTL 172800 

@ IN SOA nsl.openna.com. root.openna.com. ( 








00 ; Serial 
10800 ; Refresh after 3 hours 
3600 ; Retry after 1 hour 
604800 ; Expire after 1 week 
172800 ); inimum TTL of 1 day 
SINCLUDE Kopenna.com.+003+28448.key 
; Name Server (NS) records. 
IN NS nsl.openna.com. 
IN NS ns2.openna.com. 
; Mail Exchange (MX) records. 
MX 0 smtp.openna.com. 
; Address (A) records. 
localhost IN A 12°7..0..041 
router IN A 207.35. 78.1 
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portal IN A 207 .39-673.42 
www IN A 207.35.78.3 
smtp IN A 207.35.78.4 


Don’t forget to restart your DNS server for the change to take effect. 


e Restart ISC BIND & DNS with the following command: 
[root@deep /]# /ete/re.d/init.d/named restart 
Shutting down named: [OK] 
Starting named: [OK] 








NOTE: Please, check that everything looks right in your log files (/var/log/messages) before 
continuing with the step below. It is important to be sure that there is nothing wrong with your 
configuration. 





Step 5 

Once the keyset has been signed and approved by the parent zone (. com), the final step will be 
to sign our zone. The result will produce one output file called "db. openna. signed". This file 
should be referenced by named. conf as the input file for the zone instead of the default one 
called “db. openna”. 


e Tosign the zone file, use the following command: 
[root@deep named]# dnssec-signzone -o openna.com db.openna 
db.openna.signed 


e One last requirement will be to change the owner of the db. openna. signed file to be 
the user under which our named daemon runs. In our case the named daemon runs 


under the user called “named”: 
[root@deep named] # chown named.named db.openna.signed 








NOTE: If a zone doesn't publish a key, then BIND will accept any plausible-looking records, 
without a digital signature, just like in the original DNS. This provides compatibility with existing 
DNS zones, allowing Secure DNS to be gradually introduced throughout the Internet. 





Step 6 
The result of signing the zone will produce one output file called "db. openna. signed". Recall 
that this file should be referenced by named. conf as the input file for the zone. 


e =6Edit the named.conf file (vi /chroot/named/etc/named.conf), and change the 
following line: 


key nsl-ns2 { 

algorithm hmac-md5; 

secret "psljy3f7czValVNZkYaLfiw=="; 
}; 


server 207.35.78.6 { 


keys { nsl-ns2 ;}; 
hi 
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key localkey { 

algorithm hmac-md5; 

secret "JpWopXTHbRel32xLP9x7rg=="; 
}; 


controls { 
inet 127.0.0.1 allow { 127.0.0.1; } keys { localkey; }; 
}; 


options { 
directory "/var/named"; 
allow-transfer { key nsl-ns2; }; 
allow-query { 192.168.1.0/24; 207.35.78.0/32; localhost; }; 
allow-recursion { 192.168.1.0/24; 207.35.78.0/32; localhost; }; 
version "Go away!"; 





}; 


logging { 
category lame-servers { null; }; 


}; 


// Root server hints 
zone "." { type hint; file "db.cache"; }; 


// Provide a reverse mapping for the loopback address 127.0.0.1 
zone "0.0.127.in-addr.arpa" { 

type master; 

file "dbw127:/0:..0"; 

notify no; 


}; 


// We are the master server for openna.com 
zone "openna.com" { 
type master; 
file "db.openna.signed"; 
allow-query { any; }; 





}; 


zone "78.35.207.in-addr.arpa" { 
type master; 
file "db.207.35.78"; 
allow-query { any; }; 


}; 


Step 7 
Don’t forget to restart your DNS server for the changes to take effect. 


e Restart ISC BIND & DNS with the following command on both DNS servers: 
[root@deep /]# /etce/re.d/init.d/named restart 
Shutting down named: [OK] 
Starting named: [OK] 
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Optimizing ISC BIND & DNS 
This section deals with actions we can make to further improve and tighten performance of ISc 
BIND & DNS. Note that we refer to the features available within the base installed program. 


The BIND9 Lightweight Resolver 

The new release of Bind comes with a new daemon program called "lwresd". The lwresd 
daemon is essentially a Caching-Only Name Server that answers requests using the lightweight 
resolver protocol rather than the DNS protocol. Because it needs to run on each host, it is 
designed to require no or minimal configuration. In our configuration we'll run lwresdina 
chrooted environment. 


On all Caching-Only Name Servers that you may have in your network, it can be interesting to run 
this daemon "1wresa" instead of the full "named" daemon. If we remember that a Caching-Only 
Name Server is not authoritative for any domains except 0.0.127.in-addr.arpa. It can look 
up names inside and outside your zone, as can Primary and Slave Name Servers but the 
difference is that when it initially looks up a name within your zone, it ends up asking one of the 
Primary or Slave Names Servers for your zone for the answer and nothing else. Therefore we 
can run the "lwresd" daemon in this kind of Name Server and everything will run, as we want. 


Below, are the required steps to run your Caching-Only Name Server with the “lwresd” daemon 
instead of the “named” daemon in a chrooted environment. 


Step 1 

By default, the 1wresd daemon listens on the loopback address (127.0.0.1). With a firewall on 
the system it is important to instruct the 1wresd daemon to listen to the external interface of the 
server. This can be made with an “lwserver” statement lines in the /etc/resolv.conf file. 


e Edit the resolv.conf file (vi /etc/resolv.conf), and add the following line: 
lwserver 207.35.78.2 

Where 207.35.78.2 is the IP address of the external interface in the firewall script file. 
Step 2 
Since lwresd will run in a chroot jail environment, we must copy the /etc/resolv.conf file to 
our chrooted environment for the 1wresd daemon to be able to find the resolv.conf file and 
start. 

e Tocopy the resolv.conf file to your chroot jail, use the following command: 


[root@deep /]# cp /etc/resolv.conf /chroot/named/etc/ 


Step 3 
Now, we must create an initialization script file for the 1wresd daemon to automatically start and 
stop on your server. 


e Create the lwresd script file (touch /etc/rc.d/init.d/lwresd) and add the 
following lines inside it: 
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!/bin/bash 
lwresd This shell script takes care of starting and stopping 
lwresd (The lightweight resolver library). 
chkconfig: - 55 45 


description: lwresd is essentially a Caching-Only Name Server \ 
that answers requests using the lightweight resolver \ 

protocol rather than the DNS protocol. 

probe: true 


Source function library. 
/etc/re.d/init.d/functions 


Source networking configuration. 
/etc/sysconfig/network 


Check that networking is up. 
"S${NETWORKING}" = "no" ] && exit 0 





-f /etc/sysconfig/named ] && . /etc/sysconfig/named 





-f /usr/sbin/lwresd ] || exit 0 

-£ "S{ROOTDIR}"/etc/resolv.conf ] || exit 0 
ETVAL=0 

tart() { 


# Start daemons. 

echo -n "Starting lwresd: " 

if [ -n "S{ROOTDIR}" -a "x${ROOTDIR}" != "x/" ]; then 
OPTIONS="S${OPTIONS} -t ${ROOTDIR}" 




















apa 

daemon lwresd -P 53 -u named ${OPTIONS} 

RETVAL=$ ? 

[ SRETVAL -eq 0 ] && touch /var/lock/subsys/lwresd 
echo 


return SRETVAL 





stop() { 

# Stop daemons. 

echo -n "Shutting down lwresd: " 
killproc lwresd 

















RETVAL=$? 
[ SRETVAL -eq 0 ] && rm -f£ /var/lock/subsys/lwresd 
echo 


return SRETVAL 





restart() { 
stop 
start 





# S how we were called. 
case "S1" in 


start) 
SLart 
a 
stop) 
stop 
a 
restart) 
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restart 


vr 


echo "Usage: lwresd {start|stop|restart}" 
exit 1 
esac 


exit $? 


Step 4 

Once the iwresd script file has been created, it is important to make it executable, change its 
default permissions, create the necessary links and start it. Making this file executable will allow 
the system to run it, changing its default permission is to allow only the root user to change this 
file for security reasons, and creation of the symbolic links will let the process control initialization 
of Linux, which is in charge of starting all the normal and authorized processes that need to run at 
boot time on your system, to start the program automatically for you at each boot. 


e To make this script executable and to change its default permissions, use the commands: 
[root@deep /]# chmod 700 /etc/rce.d/init.d/lwresd 
[root@deep /]# chown 0.0 /etc/re.d/init.d/lwresd 


e Tocreate the symbolic rc.d links for lwresd, use the following commands: 
[root@deep /]# chkconfig --add lwresd 
[root@deep /]# chkconfig --level 2345 lwresd on 


Step 5 
Because we run 1lwresd instead of named daemon in our Caching-Only Name Server, it is 
important to deactivate and uninstall the named initialization script file in our system. 


e These procedures can be accomplished with the following commands: 
[root@deep /]# chkconfig --del named 
[root@deep /]# chkconfig --level 2345 named off 
[root@deep /]# rm -£ /etc/re.d/init.d/named 


Step 6 

The lwresd daemon read its configuration file from /etc/lwresd.conf. This file is optional 
and the program can run without it and just with the resolv.conf file but it is preferable to 
create and use this configuration file with lwresd to reduce possible messages in the log file. 


The format of lwresd.conf file is identical to named. conf. Therefore all you have to do is to 
rename your existing named. conf file configured for a Caching Name Server to become 
lwresd.conf file. 


e This procedure can be accomplished with the following command: 
[root@deep /]# ed /chroot/named/etc/ 
[root@deep etc]# mv named.conf lwresd.conf 


Step 7 
Now it is time to start your DNS server with the Lwresd daemon. 


e Tostart lwressd manually, use the following command: 
[root@deep /]# /ete/re.d/init.d/lwresd start 
Starting lwresd: [OK] 
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Further documentation 
For more details, there are several manual pages you can read: 


$ man named-checkconf (1) - Configuration file syntax checking too 
$ man named-checkzone (1) - Zone validity checking tool 

$ man host (1) - DNS lookup utility 

$ man dig (1) - DNS lookup utility 

$ man rndc.conf (5) - rndc configuration file 

$ man named (8) - Internet domain name server 

$ man rndc (8) - name server control utility 

$ man lwresd (8) - lightweight resolver daemon 

S$ man nsupdate (8) - Dynamic DNS update utility 


ISC BIND & DNS Administrative Tools 
The commands listed below are some that we use often, but many more exist. Check the manual 
pages of ISC BIND & DNS and documentation for more information. 


dig 

The dig command DNS lookup utility (domain information groper) is a tool for interrogating DNS 
name servers by performing DNS lookups and displays the answers that are returned from. It can 
also be used to update your db. cache file by telling your server where the servers for the “root” 
zone are. Dig Is a useful tool to use when you want to troubleshoot DNs problems. 


e Use the following command to query an address: 
[root@deep /]# dig Q@www.openna.com 


7; <<>> DiG 9.1.0 <<>> @www.openna.com 

7; Qlobal options: printcmd 

7; Got answer: 

77 —>>HEADER<<- opcode: QUERY, status: REFUSED, id: 20994 

7; flags: qr rd; QUERY: 1, ANSWER: OQ, AUTHORITY: 0, ADDITIONAL: 0 






































7; QUESTION SECTION: 
i. IN NS 











7; Query time: 3 msec 

7; SERVER: 207.35.78.5#53(nsl.openna.com) 
;; WHEN: Fri Feb 23 19:16:51 2001 

7; MSG SIZE revd: 17 




















Where @www.openna.com is the address of the server. Many options exist for this tool and | 
recommend you to read the dig manual page dig (1) for a complete list. 


rndc 

The rndc command utility allows the system administrator to control the operation of a name 
server. It replace the ndc (8) utility that was provided in old BIND8 releases. You can use this 
tool to reload configuration files and zones, schedule immediate maintenance for a zone, write 
server statistics, toggle query logging, stop the DNS server, and many other functions. The rndc 
tool prints a short summary of the supported commands and the available options if invoked on 
command line without options. 
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e Type rndc on your terminal to get a short summary of all available and supported 





commands: 

[root@deep /]# rndc 

Usage: rndc [-c config] [-s server] [-p port] [-y key] [-z zone] [-v 
view] 


command [command ...] 
command is one of the following: 


reload Reload configuration file and zones. 
reload zone [class [view] ] 

Reload a single zone. 
refresh zone [class [view] ] 

Schedule immediate maintenance for a zone. 





stats Write server statistics to the statistics file. 
querylog Toggle query logging. 
dumpdb Dump cache(s) to the dump file (named_dump.db). 
stop Save pending updates to master files and stop the server. 
halt Stop the server without saving pending updates. 
*status Display ps(1) status of named. 
*trace Increment debugging level by one. 
*notrace Set debugging level to 0. 
*restart Restart the server. 
* == not yet implemented 





Version: 9.1.0 


ISC BIND & DNS Users Tools 
The commands listed below are some that we often use, but many more exist. Check the manual 
pages of ISC BIND & DNS and documentation for more information. 


nslookup 


The nslookup program allows the user to query Internet domain name servers interactively or 
non-interactively. In interactive mode the user can query name servers for information about 
various hosts and domains, and print a list of hosts in a domain. In non-interactive mode the user 
can just print the name and request information for a host or domain. 


Interactive mode has a lot of options and commands; it is recommended that you see the manual 
page for nslookup. 


e To enter under nslookup Interactive mode, use the command: 
[root@deep /]# nslookup 
> www.openna.com 


Server: 207.359.7845 
Address: 207.35.78.5#53 
Name: www.openna.com 
Address: 207.35.78.3 

> exit 
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e Torun in non-interactive mode, use the command: 
[root@deep /]# nslookup www.openna.com 


Server: 207535:. 78:29 
Address: 207.35.78.5#53 
Name: www.openna.com 


Address: 207.35.78.3 


Where <www.openna.com> is the host name or Internet address of the name server to be 
looked up. 


host 

The host tool is a simple utility for performing DNs lookups. It is normally used to convert names 
to IP addresses and vice versa. When no arguments or options are given, host prints a short 
summary of its command line arguments and options. 


e Toprint host command line arguments and options, use the command: 
[root@deep /]# host 
Usage: host [-aCdlrTwv] [-c class] [-n] [-N ndots] [-t type] [-W time] 
[-R number] hostname [server] 
-a is equivalent to -v -t * 
c specifies query class for non-IN data 
-C compares SOA records on authorative nameservers 
d is equivalent to -v 
-l lists all hosts in a domain, using AXFR 
n Use the nibble form of IPv6 reverse lookup 
-N changes the number of dots allowed before root lookup is done 
-r disables recursive processing 
R specifies number of retries for UDP packets 
t specifies the query typ 
-T enables TCP/IP mode 
v enables verbose output 
-w specifies to wait forever for a reply 
-W specifies how long to wait for a reply 


























e To look up host names using the domain server, use the command: 
[root@deep /]# host openna.com 
openna.com. has address 207.35.78.3 


List of installed ISC BIND & DNS files on your system 


> /etc/rc.d/init.d/named 

> /etc/sysconfig/named 

> /etc/rndc.conf 

> /usr/bin/dig 

> /usr/bin/host 

> /usr/bin/nslookup 

> /usr/bin/nsupdate 

> /usr/bin/isc-config.sh 

> /usr/include/isc 

> /usr/include/isc/assertions.h 
> /ust/include/isc/base64.h 
> /usr/include/isc/bitstring.h 
> /usr/include/isc/boolean.h 
> /usr/include/isc/buffer.h 

> /usr/include/isc/bufferlist.h 


> /usr/include/dns/journal.h 

> /usr/include/dns/keyflags.h 

> /usr/include/dns/keytable.h 

> /usr/include/dns/keyvalues.h 
> /usr/include/dns/lib.h 

> /usr/include/dns/log.h 

> /usr/include/dns/master.h 

> /usr/include/dns/masterdump.h 
> /usr/include/dns/message.h 

> /usr/include/dns/name.h 

> /usr/include/dns/namedconf.h 
> /usr/include/dns/ncache.h 

> /usr/include/dns/nxt.h 

> /usr/include/dns/peer.h 

> /usr/include/dns/rbt.h 
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> /usr/include/isc/commandline.h 
> /usr/include/isc/entropy.h 

> /usr/include/isc/error.h 

> /usr/include/isc/event.h 

> /usr/include/isc/eventclass.h 
> /usr/include/isc/file.h 

> /usr/include/isc/formatcheck.h 
> /usr/include/isc/fsaccess.h 
> /usr/include/isc/heap.h 

> /usr/include/isc/hex.h 

> /usr/include/isc/hmacmd5.h 
> /usr/include/isc/interfaceiter.h 
> /usr/include/isc/lang.h 

> /usr/include/isc/lex.h 

> /usr/include/isc/lfsr.h 

> /usr/include/isc/lib.h 

> /usr/include/isc/list.h 

> /ust/include/isc/log.h 

> /ust/include/isc/magic.h 

> /usr/include/isc/md5.h 

> /usr/include/isc/mem.h 

> /ust/include/isc/msgcat.h 

> /ust/include/isc/msgs.h 

> /usr/include/isc/mutexblock.h 
> /usr/include/isc/netaddr.h 

> /ust/include/isc/ondestroy.h 
> /usr/include/isc/os.h 

> /usr/include/isc/print.h 

> /usr/include/isc/quota.h 

> /usr/include/isc/random.h 

> /usr/include/isc/ratelimiter.h 
> /usr/include/isc/refcount.h 

> /usr/include/isc/region.h 

> /usr/include/isc/resource.h 
> /usr/include/isc/result.h 

> /usr/include/isc/resultclass.h 
> /usr/include/isc/rwlock.h 

> /usr/include/isc/serial.h 

> /usr/include/isc/shat.h 

> /usr/include/isc/sockaddr.h 
> /usr/include/isc/socket.h 

> /usr/include/isc/stdio.h 

> /usr/include/isc/string.h 

> /usr/include/isc/symtab.h 

> /usr/include/isc/task.h 

> /ust/include/isc/taskpool.h 
> /ust/include/isc/timer.h 

> /usr/include/isc/types.h 

> /usr/include/isc/util.h 

> /usr/include/isc/platform.h 

> /ust/include/isc/app.h 

> /usr/include/isc/dir.h 

> /usr/include/isc/int.h 

> /usr/include/isc/net.h 

> /usr/include/isc/netdb.h 

> /ust/include/isc/offset.h 

> /usr/include/isc/stdtime.h 

> /usr/include/isc/time.h 

> /usr/include/isc/condition.h 
> /usr/include/isc/mutex.h 

> /usr/include/isc/once.h 

> /usr/include/isc/thread.h 

> /usr/include/dns 

> /usr/include/dns/a6.h 

> /usr/include/dns/acl.h 

> /usr/include/dns/adb.h 

> /usr/include/dns/byaddr.h 

> /usr/include/dns/cache.h 

> /usr/include/dns/callbacks.h 
> /usr/include/dns/cert.h 
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> /usr/include/dns/rcode.h 

> /usr/include/dns/rdata.h 

> /usr/include/dns/rdataclass.h 
> /usr/include/dns/rdatalist.h 

> /usr/include/dns/rdataset.h 
> /usr/include/dns/rdatasetiter.h 
> /usr/include/dns/rdataslab.h 
> /usr/include/dns/rdatatype.h 
> /usr/include/dns/request.h 

> /usr/include/dns/resolver.h 
> /usr/include/dns/result.h 

> /usr/include/dns/rootns.h 

> /usr/include/dns/sdb.h 

> /usr/include/dns/secalg.h 

> /usr/include/dns/secproto.h 
> /usr/include/dns/ssu.h 

> /usr/include/dns/tcpmsg.h 

> /usr/include/dns/time.h 

> /usr/include/dns/tkey.h 

> /usr/include/dns/tsig.h 

> /usr/include/dns/ttl.h 

> /usr/include/dns/types.h 

> /usr/include/dns/validator.h 
> /usr/include/dns/view.h 

> /usr/include/dns/xfrin.h 

> /usr/include/dns/zone.h 

> /usr/include/dns/zt.h 

> /usr/include/dns/enumclass.h 
> /usr/include/dns/enumtype.h 
> /usr/include/dns/rdatastruct.h 
> /usr/include/dst 

> /usr/include/dst/dst.h 

> /usr/include/dst/lib.h 

> /usr/include/dst/result.h 

> /usr/include/lwres 

> /usr/include/lwres/context.h 
> /usr/include/lwres/lwbuffer.h 
> /usr/include/lwres/lwpacket.h 
> /usr/include/lwres/lwres.h 

> /usr/include/lwres/result.h 

> /usr/include/lwres/int.h 

> /usr/include/lwres/lang.h 

> /usr/include/lwres/list.h 

> /usr/include/lwres/net.h 

> /usr/include/lwres/ipv6.h 

> /usr/include/lwres/netdb.h 

> /usr/include/lwres/platform.h 
> /usr/include/omapi 

> /usr/include/omapi/compatibility.h 
> /usr/include/omapi/lib.h 

> /usr/include/omapi/omapi.h 
> /usr/include/omapi/private.h 
> /usr/include/omapi/result.h 
> /usr/include/omapi/types.h 

> /usr/lib/libisc.so0.3.0.0 

> /usr/lib/libisc.so.3 

> /usr/lib/libisc.so 

> /usr/lib/libisc.la 

> /usr/lib/libisc.a 

> /usr/lib/libdns.so.4.0.0 

> /usr/lib/libdns.so.4 

> /usr/lib/libdns.so 

> /usr/lib/lipdns.la 

> /usr/lib/libdns.a 

> /usr/lib/liblwres.so.1.1.0 

> /usr/lib/liblwres.so. 1 

> /usr/lib/liblwres.so 

> /usr/lib/liblwres.la 

> /usr/lib/liblwres.a 

> /usr/lib/libomapi.so.3.0.0 
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> /usr/include/dns/compress.h 
> /usr/include/dns/confacl.h 
> /usr/include/dns/confcache.h 


> /usr/include/dns/confeommon.h 


> /usr/include/dns/confctl.h 

> /usr/include/dns/confctx.h 

> /usr/include/dns/confip.h 

> /ust/include/dns/confkeys.h 
> /usr/include/dns/conflog.h 

> /ust/include/dns/conflsn.h 

> /usr/include/dns/conflwres.h 
> /usr/include/dns/confparser.h 
> /usr/include/dns/confresolv.h 
> /usr/include/dns/confrrset.h 
> /usr/include/dns/confview.h 
> /usr/include/dns/confzone.h 
> /usr/include/dns/db.h 

> /usr/include/dns/dbiterator.h 
> /usr/include/dns/dbtable.h 

> /usr/include/dns/diff.h 

> /usr/include/dns/dispatch.h 

> /usr/include/dns/dnssec.h 

> /usr/include/dns/events.h 

> /usr/include/dns/fixedname.h 
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> /usr/lib/libomapi.so.3 

> /usr/lib/libomapi.so 

> /usr/lib/libomapi.la 

> /usr/lib/libomapi.a 

> /usr/sbin/named 

> /usr/sbin/lwresd 

> /usr/sbin/rndc 

> /usr/sbin/dnssec-keygen 

> /usr/sbin/dnssec-makekeyset 

> /usr/sbin/dnssec-signkey 

> /usr/sbin/dnssec-signzone 

> /usr/sbin/named-checkconf 

> /usr/sbin/named-checkzone 

> /usr/share/man/man1/named-checkconf.1 
> /usr/share/man/man1/named-checkzone. 1 
> /usr/share/man/man1/host.1 

> /usr/share/man/man1/dig.1 

> /ustr/share/man/man5/rndc.conf.5 
> /usr/share/man/man8/named.8 

> /usr/share/man/man8/rndc.8 

> /usr/share/man/man8/lwresd.8 

> /ust/share/man/man8/nsupdate.8 
> /var/named 

> /var/run/named 
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Part Vill Mail Transfer Agent Related Reference 
In this Part 


Mail Transfer Agent - Sendmail 
Mail Transfer Agent - qmail 


Here we come to the part where we'll talk about mail and the necessity of having a mail server 
installed on our secure Linux server. On every kind of machine that runs a Unix operating system 
it's necessary and NOT optional to have a mail server. Even if you don’t set-up your system to 
send or receive mail for users, you'll always have possible log messages that need to be 
delivered to root user, postmaster, daemons program, etc. Here is where a mail server is vital or 
you may lose some important messages like errors, attacks, intrusions etc, if you decide to not 
install a mail server on your system. The next two chapters of this book will deal extensively with 
mail transport agents you may want to install. We will begin our reading with Sendmail and 
finish with gmail software. It’s yours to choose which MTA you prefer to use, Sendmail or 
qmail. 


There is one question that most of you will ask often and this question is: 
What are the differences between Sendmail and qmail? 
Why should | use Sendmail instead of qmail or qmail instead of Sendmail? 


You have to decide which features you want/need and then select the appropriate MTA. Some of 
you can decide to use Sendmail because of the many features and the support for most e-mail 
related RFCs. 


For example, quoting the operations guide: 

Sendmail is based on RFC821 (Simple Mail Transport Protocol), RFC822 (Internet Mail 
Headers Format), RFC974 (MX routing), RFC1123 (Internet Host Requirements), RFC2045 
(MIME), RFC1869 (SMTP Service Extensions), RFC1652 (SMTP 8BITMIME Extension), 
RFC1870 (SMTP SIZE Extension), RFC1891 (SMTP Delivery Status Notifications), RFC1892 
(Multipart/Report), RFC1893 (Mail System Status Codes), RFC 1894 (Delivery Status 
Notifications), RFC1985 (SMTP Service Extension for Remote Message Queue Starting), 
RFC2033 (Local Message Transmission Protocol), RFC2034 (SMTP Service Extension for 
Returning Enhanced Error Codes), RFC2476 (Message Submission), RFC2487 (SMTP Service 
Extension for Secure SMTP over TLS), and RFC2554 (SMTP Service Extension for 
Authentication). 


In the other part and from the point of view of security consider this: 

With Sendmail the entire sendmail system is setuid and with gmail only one qmail program 
is setuid: gmail-queue. Its only purpose is to add a new mail message to the outgoing queue. 
Also five of the most important gmail programs are not security-critical. Even if all of these 
programs are completely compromised, so that an intruder has full control over the program 
accounts and the mail queue, he still can't take over your system. Finally, the stralloc concept and 
getin() of qmail which comes from a basic C library make it very easy to avoid buffer overruns, 
memory leaks, and artificial line length limits. gmail is based on RFC 822, RFC 1123, RFC 821, 
RFC 1651, RFC 1652, RFC 1854, RFC 1893, RFC 974, RFC 1939. 
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20 Mail Transfer Agent - Sendmail 
In this Chapter 


Recommended RPM packages to be installed for a Mail Server 
Compiling - Optimizing & Installing Sendmail 

Configuring Sendmail 

Running Sendmail with SSL support 

Securing Sendmail 

Sendmail Administrative Tools 

Sendmail Users Tools 
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Linux Sendmail Mail Transfer Agent Server 


Abstract 

The Sendmail program is one of the most widely used Internet Mail Transfer Agents (MTAs) in 
the world. The purpose of an MTA is to send mail from one machine to another, and nothing else. 
Sendmail is not a client program, which you use to read your e-mail. Instead, it actually moves 
your email over networks, or the Internet, to where you want it to go. Sendmail has been an 
easy target for system crackers to exploit in the past, but with the advent of Sendmail version 8, 
this has become much more difficult. 


In our configuration and installation we'll provide you with two different configurations that you can 
set up for Sendmail; One for a Central Mail Hub Relay, and another for the local or neighbor 
clients and servers. We'll use the m4 macro of Linux to generate all “. mc” configuration files of 
Sendmail, since that makes maintenance much easier for people who don't understand 
sendmail re-write rules. 





The Central Mail Hub Relay Server configuration will be used for your server where the assigned 
task is to send, receive and relay all mail for all local or neighbor client and server mail machines 
you may have on your network. A local or neighbor client and server refers to all other local 
server or client machines on your network that run Sendmail and send all outgoing mail to the 
Central Mail Hub for future delivery. You can configure the neighbor Sendmail so that it accepts 
only mail that is generated locally, thus insulating neighbor machines for easier security. This kind 
of internal client never receives mail directly via the Internet; Instead, all mail from the Internet for 
those computers is kept on the Mail Hub server. It is a good idea to run at least one Central Mail 
Hub Server for all computers on your network; this architecture will limit the management task on 
the server and client machines, and improve the security of your site. 


If you decide to install and use Sendmail as your Central Mail Hub Server, it will be important to 
refer to the part that talk about Internet Message Access Protocol in this book. Recall that 
Sendmail is just a program to send and receive mail and cannot be used to read mail. Therefore 
in a Central Mail Hub environment you need to have a program which allows users to connect to 
the Sendmail Mail Hub to get and read their mail, this is where a program like UW IMAP also 
know as a Internet Message Access Protocol (IMAP) or Post Office Protocol (POP) is required 
and must be installed if you run Sendmail as your Mail Hub Server and only in this case. If you 
run Sendmail as a standalone local/neighbor client Mail Server, then you don’t need to install a 
Internet Message Access Protocol like Uw IMAP. If you decide to skip this chapter about 
Sendmail because you'd prefer to install gmail as your MTA, then you don’t need to install uw 
IMAP even if you configure qmail as a Mail Hub Server since qmail already come with its own 
fast, small and secure POP program know as gmail-popd3. 


Disclaimer 

PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG CRYPTOGRAPHY 
SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST COMMUNICATING 
TECHNICAL DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS ILLEGAL IN SOME PARTS 
OF THE WORLD. SO, WHEN YOU IMPORT THIS PACKAGE TO YOUR COUNTRY, RE- 
DISTRIBUTE IT FROM THERE OR EVEN JUST EMAIL TECHNICAL SUGGESTIONS OR EVEN 
SOURCE PATCHES TO THE AUTHOR OR OTHER PEOPLE YOU ARE STRONGLY ADVISED 
TO PAY CLOSE ATTENTION TO ANY EXPORT/IMPORT AND/OR USE LAWS WHICH APPLY 
TO YOU. THE AUTHORS ARE NOT LIABLE FOR ANY VIOLATIONS YOU MAKE HERE. SO BE 
CAREFUL, IT IS YOUR RESPONSIBILITY. 
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Recommended RPM packages to be installed for a Mail Server 


A minimal configuration provides the basic set of packages required by the Linux operating 
system. Minimal configuration is a perfect starting point for building secure operating system. 
Below is the list of all recommended RPM packages required to run properly your Linux server as 


a Mail Server (SMTP) running on Sendmail software. 


This configuration assumes that your kernel is a monolithic kernel. Also | assume that you will 
install Sendmail by it’s RPM package. Therefore, sendmail RPM package is already included 
in the list below as you can see. Since IMAP is directly related to Sendmail software and 
especially in a Mail Hub Server environment, it is also included in the list below as well as 
xinetd, which allow imapd and popd protocols to run on the system. All security tools are not 
installed, it is yours to install them as your need by RPM packages too since compilers packages 


are not installed and included in the list. 


basesystem 


openssl 
slocate 


bash 
file 
less 

pam 
sysklogd 


bdflush 
filesystem 
libstdc++ 
passwd 
syslinux 


bind 
fileutils 
libtermcap 
popt 
SysVinit 


bzip2 
findutils 
lilo 
procmail 
tar 


chkconfig 
gawk 
logrotate 
procps 
termcap 
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console-tools 
gdbm 

losetup 
psmisc 
textutils 


cpio 
gettext 
mailx 
pwdb 
tmpwatch 


cracklib 
glib 
MAKEDEV 
quota 
utempter 


cracklib-dicts 
glibc 

man 

readline 
util-linux 


crontabs 
glibc-common 
mingetty 
rootfiles 
vim-common 


db1 

grep 
mktemp 

rpm 
vim-minimal 


db2 

grofft 
mount 

sed 
vixie-cron 


db3 

gzip 
ncurses 
sendmail 
words 


dev 

imap 
net-tools 
setup 
which 


devfsd 
info 
newt 
sh-utils 
xinetd 


diffutils 
initscripts 
openssh 
shadow-utils 
zlib 


e2fsprogs 
iptables 
openssh-server 
slang 
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Tested and fully functional on OpenNA.com. 
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Mail Server 

















+ All other servers on the network will runs 


a null client standalone Mail Server 
Router 


+ All mails in the openna.com 207.35.78.1 


domain are accessible only through 
the Central Mail Hub Server 


External HUB 


The Gateway Server 
runs a null client 
standalone Mail Server 
and forward all 

local or external mail 
to the Mail Hub Server 


The Central Mail 
Hub Server receive 
and send all mail 


—_t —t 
NULL CLIENT CENTRAL MAIL HUB SERVER 
Gateway Server Mail Server 
207.35.78.2& 207.35.78.4 


192.168.1.1 







Internal HUB 


Usually, all internal computers runs at least 
a null client standalone Mail Server and 
foward all local or external mail to the 
Central Mail Hub Server 


This is a graphical representation of the Mail Server configuration we use in this book. We try to 
show you different settings (Central Mail Hub Relay, and local or neighbor null client server) on 
different servers. Lots of possibilities exist, and depend on your needs and network architecture. 
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These installation instructions assume 

Commands are Unix-compatible. 

The source path is /var/tmp (note that other paths are possible, as personal discretion). 
Installations were tested on Red Hat 7.1. 

All steps in the installation will happen using the super-user account “root”. 

Whether kernel recompilation may be required: No 

Latest Sendmail version number is 8.11.4 


Packages 
The following are based on information as listed by Sendmail as of 2001/05/25. Please regularly 
check at www.sendmail.org for the latest status. 


Source code is available from: 

Sendmail Homepage: hitp://www.sendmail.org/ 
Sendmail FTP Site: 209.246.26.20 

You must be sure to download: sendmail.8.11.4.tar.gz 





Prerequisites 

Sendmail requires that the listed software below be already installed on your system to be able 
to compile successfully. If this is not the case, you must install it from your Linux CD-ROM or 
source archive file. Please make sure you have this program installed on your machine before 
you proceed with this chapter. 


Y OpenSSL, which enables support for SSL functionality, must already be installed on your 
system if you want to run Sendmail with SSL features. 


Pristine source 

If you don’t use the RPM package to install this program, it will be difficult for you to locate all 
installed files into the system in the eventuality of an updated in the future. To solve the problem, 
it is a good idea to make a list of files on the system before you install Sendmail, and one 
afterwards, and then compare them using the diff utility of Linux to find out what files are 
placed where. 


e Simply run the following command before installing the software: 
root@deep /root find /* > Sendmaill 


e And the following one after you install the software: 
root@deep /root find /* > Sendmail2 








e Then use the following command to get a list of what changed: 
root@deep /root diff Sendmaill Sendmail2 > Sendmail-Installed 











With this procedure, if any upgrade appears, all you have to do is to read the generated list of 
what files were added or changed by the program and remove them manually from your system 
before installing the new software. Related to our example above, we use the /root directory of 
the system to stock all generated list files. 
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Compiling - Optimizing & Installing Sendmail 

Below are the required steps that you must make to compile and optimize the Sendmail 
software before installing it into your Linux system. Contrary to the majority of programs that we 
have already installed in this book, you’ll find further down in this chapter a difference with the 
method used to compile and install this program. 


Sendmail use a different procedure to install in the system, instead of using the default GNU 
autoconf build like many open source program use, it go with a script named Build which 
allow it to compile an appropriate Makefile for your specific system, and create an appropriate 
ob. * subdirectory before installing on the system. This method allows the program to works 
easily with build of multiplatform support. 


Step 1 
Once you get the program from the main software site you must copy it to the /var/tmp 
directory and change to this location before expanding the archive. 


e These procedures can be accomplished with the following commands: 
[root@deep /]# cp sendmail-version.tar.gz /var/tmp/ 
[root@deep /]# cd /var/tmp/ 

[root@deep tmp]# tar xzpf sendmail-version.tar.gz 


Step 2 
In order to check that the version of Sendmail, which you are going to install, is an original and 
unmodified one, use the commands described below and check the supplied signature. 


e §=6To verify the MD5 checksum of Sendmail, use the following command: 
[root@deep tmp]# md5sum sendmail-version.tar.gz 


This should yield an output similar to this: 
5e224eeb0aab63b7c178728ae42f26a5 sendmail.8.11.4.tar.gz 


Now check that this checksum is exactly the same as the one published on the Sendmail 
website at the following URL: http:/Awww.sendmail.org/8.11.html 


Step 3 

We must create a special user called mailnul11, which will be the default UID for running 
mailers. Sendmail does a getownam() on mailnull during startup, and if that's defined in 
/etc/passwd file of Linux, it uses that UID:GID. In addition, if Sendmail sees that it's about to 
do something as root, it does it as this special user (mailnu11) instead - so that if root has a 

. forward file executing a program, that simply will not run as root. 


e Tocreate this special Sendmail user, use the following command: 
[root@deep tmp]# useradd -u 47 -d /var/spool/mqueue -r -s /bin/false 
mailnull >/dev/null 2>&1 || 


The above command will create a null account, with no password, no valid shell, no files owned- 
nothing but a UID and a GID. 


431 


Sendmail} 2 
CHAPTER |0 


Step 4 

After that, move into the newly created Sendmail directory and perform the following steps 
before compiling and optimizing it. The modifications we bring to the Sendmail file below are 
necessary to be compliant with our Linux file system structure. 


e To move into the newly created Sendmail directory, use the following command: 
[root@deep tmp]# cd sendmail-8.11.4/ 


Step 4.1 
The file that we must modify is named smrsh.c located under the source directory of Sendmail. 
In this file, we will specify the directory in which all “smrsh” program commands must reside. 


e Edit the smrsh.c file (vi +80 smrsh/smrsh.c) and change the line: 


# else /* HPUX10 || HPUX11 || SOLARIS >= 20800 */ 
# define CMDDIR "/usr/adm/sm.bin" 
To read: 
# else /* HPUX10 || HPUX11 || SOLARIS >= 20800 */ 
# define CMDDIR "/etc/smrsh" 

Step 4.2 


The last modification to this file (smrsh.c) will be to specify the default search path for 
commands runs by the “smrsh” program. It allows us to limit the location where these programs 
may reside. 


e =6Edit the smrsh.c file (vi +89 smrsh/smrsh.c) and change the line: 


# define PATH "/bin:/usr/bin:/usr/ucb" 
To read: 
# define PATH "/bin:/usr/bin" 

Step 4.3 


Finally, edit the daemon .c file located under sendmail subdirectory of the Sendmail source 
archive and modify it as follow: 


e Edit the daemon.c file (vi +2765 sendmail/daemon.c) and change the line: 


/* get result */ 

p = &ibuf [0]; 

nleft = sizeof ibuf - 1; 

while ((i = read(s, p, nleft)) > 0) 
{ 


To read: 


/* get result */ 

p = &ibuf[0]; 

nleft = sizeof (ibuf) - 1; 

while ((i = read(s, p, nleft)) > 0) 
{ 
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Step 5 

The Build script of Sendmail by default uses an operating system file that corresponds to your 
operating system type to get information about definitions for system installation and various 
compilation values. This file is located under the subdirectory named ‘devtools/Os’ of the 
Sendmail source archive and, if you’re running a Linux system, it'll be named ‘Linux’. 


We'll rebuild and recreate this operating system file to suit our Linux system installation features 
and put it in the default devtools/OS subdirectory of the Sendmail source distribution, since 
the Build script will look for the default operating system file in this directory during compile time 
of Sendmail. In summary, the operating system file is read by Sendmail to get default 
information about how to compile the program for your specific system. 


e =6 Edit the Linux file (vi devtools/OS/Linux), and remove all predefined lines then 
add the following lines inside the file. 
































define (* confDEPEND_TYPE', *CC-M') 

define (*confMANROOT', */usr/share/man/man') 
define(*confLIBS', *-ldl') 
define(*confEBINDIR', */usr/sbin"') 
define(*confLD', *“ld') 

define (*confMTLDOPTS', *~-lpthread') 
define(* confLDOPTS_SO', *-shared"') 

define (* confSONAME', ~-soname') 


This tells the Linux file to set itself up for this particular configuration with: 





define (* confDEPEND_TYPE', *~CC-M') 
This macro option specifies how to build dependencies with Sendmail. 














define (*confMANROOT', ~*/usr/share/man/man"') 
This macro option defines the location to install the Sendmail manual pages. 


define (*confLIBS', *-ldl') 

This macro option defines the —1 flags passed to 1d for selecting libraries during linking. Recall 
that 1d is the GNU linker program which is used in the last step of a compiled program to link 
standard Unix object files on a standard, supported Unix system. 








define (*confEBINDIR', */usr/sbin') 
This macro option defines where to install binaries executed from other binaries. On Linux the 
path must be set to the /usr/sbin directory. 


define(*confLD', *“ld') 
This macro option simply defines the linker program to use with Sendmail program. In our case 
the linker we use is named 1d. 


define (* confMTLDOPTS', *-lpthread"') 
This macro option defines the additional linker options to use for linking multithread binaries with 
Sendmail program. 


define(*confLDOPTS_SO', *-shared') 


This macro option defines the additional linker options to use for linking shared object libraries 
with Sendmail program. 
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define (* confSONAME', *~—-soname') 
This macro option defines the 1d flag to use for recording the shared object name into shared 
object with Sendmail program. 


Step 6 

The Build script of Sendmail can use a default local configuration file specific to your operating 
system type to get additional information about various compilation values. Sendmail will include 
the following file if it is present in the subdirectory named ‘devtools/Site’. The proper way of 
doing local configuration is by creating a file 'site.config.m4' in the directory 
‘devtools/Site’. 


To summarize, if the local configuration file ‘site. config.m4’ exists under the subdirectory 
‘devtools/Site’, then Sendmail will read and include it in its compilation to get additional 
information about how to compile and adjust various parts of the program for your specific 
system. 





e Create the site.config.m4 file (touch devtools/Site/site.config.m4), and 
add the following lines inside the file. 
























































define (*confMAPDEF', ~—DMAP_REGEX') 

define (* confENVDEF', ~-DPICKY_OQF_NAME CHECK -DXDEBUG=0"') 

define (*confCC', *“gcc') 

define (* confOPTIMIZE', ~-O3 -march=i686 -mcpu=i686 -funroll-loops -fomit 
frame-pointer') 

define (* confNO_HELPFILE_INSTALL’ ) 











This tells the site. config.m4 file to set itself up for this particular configuration with: 





define (* confMAPDEF', ~—DMAP_ REGEX") 

This macro option specifies the database type to be included with Sendmail. The “- 
DMAP_REGEX” argument enables regular expression support for the operating system. Note that 
the new Berkeley DB package (NEWDB); NEWDB is the one we need is included automatically by 
the Build script of Sendmail during compile time. Therefore we don’t need to include it in our 
definition. 









































define (*‘confENVDEF', ~-DMAP_REGEX -DPICKY_QF_NAME CHECK -DXDEBUG=0') 
This macro option is used primarily to specify other environment information and code that should 
either be specially included or excluded. With “-DPTCKY_QF_NAME_CHECK“ defined, Sendmail 
will log an error if the name of the “qf” file is incorrectly formed and will rename the “qf” file into a 
“Qf” file. The “-DXDEBUG=0 “ argument disables the step of additional internal checking during 


compile time. 















































define(*confCC', *gcc') 
This macro option defines the C compiler to use for compilation of Sendmail. In our case we use 
the default Linux “gcc” C compiler for better optimization. 











define (* confOPTIMIZE', *-O3 -march=i686 -mcpu=i686 -funroll-loops - 
fomit-—frame-pointer') 

This macro option defines the flags passed to CC for optimization of the program related to our 
specific CPU processor architecture. In conjunction to the flags used here, this program will be 
compiled to run on an i686 CPU architecture and above. This is also where we'll get 
approximately 30% more speed for our Sendmail program comparatively to the majority of 
available Sendmail packages on the Internet. 
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define (* confNO_HELPFILE INSTALL’ ) 
This macro option specifies to not install the Sendmail help file by default. Some experienced 
administrators recommend it, for better security. 

















WARNING: To enable SSL support with Sendmail, refer later in the section called “Running 
Sendmail with SSL support” for the appropriate instructions before continuing. This is important. 





Step 7 

Now, we must make a list of files on the system before you install the software, and one 
afterwards, then compare them using the diff utility to find out what files are placed where and 
finally install Sendmail in the server. 


root@deep sendmail-8.11.4]# ed sendmail/ 

root@deep sendmail]# sh Build 

root@deep sendmail]# cd ../mailstats/ 

root@deep mailstats]# sh Build 

root@deep mailstats]# ed ../smrsh/ 

root@deep smrsh]# sh Build 

root@deep smrsh]# cd ../makemap/ (Required only for Mail Hub configuration) 
root@deep makemap]# sh Build (Required only for Mail Hub configuration) 

root@deep makemap]# cd ../praliases/ (Required only for Mail Hub configuration) 
root@deep praliases]# sh Build (Required only for Mail Hub configuration) 
root@deep praliases]# cd 

root@deep sendmail-8.11.4]# cd 

root@deep /root]# find /* > Sendmaill 

root@deep /root]# ed /var/tmp/sendmail-8.11.4/ 

root@deep sendmail-8.11.4]# ed sendmail/ 

root@deep sendmail]# sh Build install 

root@deep sendmail]# cd ../mailstats/ 

root@deep mailstats]# sh Build install 

root@deep mailstats]# ed ../smrsh/ 

root@deep smrsh]# sh Build install 

root@deep smrsh]# cd ../makemap/ (Required only for Mail Hub configuration) 
root@deep makemap]# sh Build install (Required only for Mail Hub configuration) 
root@deep makemap]# cd ../praliases/ (Required only for Mail Hub configuration) 
root@deep praliases]# sh Build install (Required only for Mail Hub configuration) 
root@deep praliases]# cd 
root@deep sendmail-8. 
root@deep sendmail-8. 
root@deep sendmail-8. 
root@deep sendmail-8. 
root@deep sendmail-8. 
root@deep sendmail-8. mkdir /etc/smrsh 

root@deep sendmail-8. strip /usr/sbin/sendmail 

root@deep sendmail-8.11.4 cd 

root@deep /root]# find /* > Sendmail2 

root@deep /root]# diff Sendmaill Sendmail2 > Sendmail-—Installed 


in -fs /usr/sbin/sendmail /usr/1l1ib/sendmail 
chmod 511 /usr/sbin/smrsh 

install -d -m700 /var/spool/mqueue 

chown 0.mail /var/spool/mail/ 

chmod 1777 /var/spool/mail/ 


PRPRPRPRPPR 
Dod od os ow kos 

















The sh Build command would build and make the necessary dependencies for the different 
binary files required by Sendmail before installation. The sh Build install command would 
install sendmail, mailstats, makemap, praliases, smrsh binaries as well as the 
corresponding manual pages on your system if compiled with this command. The 1n -fs 
command would make a symbolic link of the sendmail binary to the /usr/1lib directory. This is 
required, since some programs expect to find the sendmail binary in this directory (/usr/1lib). 
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The install command will create the directory “mqueue” with permission 700 under 
/var/spool. Amail message can be temporarily undeliverable for a wide variety of reasons. To 
ensure that such messages are eventually delivered, Sendmail stores them in its queue 
directory until they can be delivered successfully. The mkdir command would create the 
/etc/smrsh directory on your system. This directory is where we'll put all program mailers that 
we allow Sendmail to be able to run. 








WARNING: The programs “makemap”, and “praliases” must only be installed on the Central Mail 
Hub Server”. The “makemap” utility allow you to create and regenerate a database map like the 
/etc/mail/aliases.dbor /etc/mail/access.db files, for Sendmail. The “praliases” 
display the system mail aliases (the content of /etc/mail/aliases file). Since it is better to 
only have one place (like our Central Mail Hub) to handle and manage all the db files in our 
network, then it is not necessary to use the “makemap”, and “praliases” programs and build db 
files on your other hosts in the network. 





Configuring Sendmail 

After Sendmail has been built and installed successfully on your system, your next step is to 
configure and customize all the options into your different Sendmail configuration files. 
Depending of the kind of Mail server you want to run in your Linux server, there are different 
configuration files to set up, those files are: 


For running Sendmail as a Central Mail Hub Server: 


¥ /etc/mail/sendmail.mc (The Sendmail Macro Configuration File) 

¥ /etc/mail/access (The Sendmail access Configuration File) 

¥ /etc/mail/access.db (The Sendmail access DB Hash Table) 

¥ /etc/mail/relay-domains (The Sendmail Relay Configuration File) 

¥ /etc/mail/aliases (The Sendmail aliases Configuration File) 

¥ /etc/mail/aliases.db (The Sendmail aliases DB Hash Table) 

¥ /etc/mail/virtusertable (The Sendmail virtusertable Configuration File) 
¥ /etc/mail/virtusertable.db (The Sendmail virtusertable DB Hash Table) 
¥ /etc/mail/domaintable (The Sendmail domaintable Configuration File) 

¥ /etc/mail/domaintable.db (The Sendmail domaintable DB Hash Table) 

¥ /etc/mail/mailertable (The Sendmail mailertable Configuration File) 

¥ /etc/mail/mailertable.db (The Sendmail mailertable DB Hash Table File) 
¥ /etc/mail/local-host-—names (The Sendmail Local Host Configuration File) 

¥ /etc/sysconfig/sendmail (The Sendmail System Configuration File) 

¥ /etc/re.d/init.d/sendmail (The Sendmail Initialization File) 






























































For running Sendmail as a Standalone Mail Server: 


¥  /etc/mail/null.mce (The Sendmail null client Macro Configuration File) 

¥  /etc/mail/local-host-—names (The Sendmail Local Host Configuration File) 
¥ /etc/sysconfig/sendmail (The Sendmail System Configuration File) 

¥ /etc/re.d/init.d/sendmail (The Sendmail Initialization File) 
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/etc/mail/sendmail.mc: The Sendmail Macro Configuration File 

This section applies only if you chose to install and use Sendmail as a Central Mail Hub Server 
in your system. Instead of having each individual server or workstation in a network handle its 
own mail, it can be advantageous to have powerful central server that handles all mail. Such a 
server is called a Mail Hub. The advantage of a Central Mail Hub is: 


¥_ All incoming mail is sent to the Mail Hub, and no mail is sent directly to a client machine. 


¥ All outgoing mail from clients is sent to the Mail Hub, and the Hub then forwards that mail 
to its ultimate destination. 


¥ All outgoing mail appears to come from a single server and no client’s name needs to be 
known to the outside world. 


¥  Noclient needs to run a sendmail daemon to listen for mail. 


Step 1 

The “sendmail.c£” is the first configuration file reading by Sendmail when it runs and one of 
the most important for Sendmail. Among the many items contained in that file are the locations 
of all the other files, the default permissions for those files and directories that Sendmail needs. 
The m4 macro preprocessor program of Linux is used by Sendmail V8 to produce a Sendmail 
configuration file. This macro program will produce the /etc/mail/sendmail.cf configuration 
file by processing a file whose name ends in “.mc”. 


For this reason, we'll create this file (sendmail.mc) and put the necessary macro values in it to 
allow the m4 program to process (read) its input and gather definitions of macros, and then 
replaces those macros with their values and output the result to create our “sendmail.cf” file. 
Please refer to the Sendmail documentation and README file under the “cf” subdirectory of the 
V8 Sendmail source distribution for more information. We must change the sendmail.mc 
macro configuration file below to fit our requirements and operating system. The text in bold are 
the parts of the configuration file that must be customized and adjusted to satisfy our needs. 














e Create the sendmail.mc file (touch /etc/mail/sendmail.mc) and add the lines: 


VERSIONID (‘linux setup for LINUX OpenNA Boreas') dnl 
OSTYPE (* linux') dnl 

DOMAIN (* generic’ ) dnl 

define (~ confTRY_NULL_MX_LIST', true) dnl 

define (“PROCMAIL_MAILER_PATH', ‘/usr/bin/procmail') dnl 
define (*confPRIVACY_FLAGS', 
‘authwarnings, goaway, restrictmailq, restrictqrun') dnl 
define (~ confSAFE_FILE_ENV', ~/home') dnl 

FEATURE (‘smrsh', \/usr/sbin/smrsh') dnl 

FEATURE (“mailertable’, hash -o /etc/mail/mailertable') dnl 
FEATURE (‘virtusertable', hash -o /etc/mail/virtusertable') dnl 
FEATURE (* redirect’ ) dnl 

FEATURE (* always_add_domain’ ) dnl 

FEATURE (*relay_hosts_only') dnl 

FEATURE (*use_cw_file’ )dnl 

FEATURE (* local_procmail’ ) dnl 

FEATURE (‘access_db') dnl 

FEATURE (‘blacklist_recipients') dnl 

FEATURE (*dnsb1') dnl 

MAILER (* local’) dnl 

MAILER (* smtp’ ) dnl 

MAILER (*procmail’ ) dnl 


437 


Sendmail} 2 
CHAPTER |0 


This tells the sendmail .mc file to set itself up for this particular configuration with: 


OSTYPE (* Linux’) dnl 

This configuration option specifies the default operating system Sendmail will be running on; in 
our case the “linux” operating system. This item is one of the minimum pieces of information 
required by the “mc” file. 





DOMAIN (* generic’) dnl 
This configuration option will specify and describe a particular domain appropriate for your 
environment. 


define (* confTRY_NULL_MX_LIST', true) dnl 
This configuration option specifies whether the receiving server is the best MX for a host and if 
so, try connecting to that host directly. In our configuration we say yes (t rue) to this option. 





define (* PROCMATL_MATLER_PATH', ~ /usr/bin/procmail') dnl 

This configuration option sets the path to the procmail program installed in your server. Since 
the path in Red Hat Linux differs from other Linux versions, we must specify the new path with 
this macro. It’s important to note that this macro is also used by the option FEATURE 
(*local_procmail’ ) as defined later in this file 














define (° confPRIVACY_FLAGS',  authwarnings, goaway, restrictmailq, restrictgq 
run')dnl 

This configuration option is one of the most important for the security of Sendmail. Setting the 
“goaway” option causes Sendmail to disallow all SMTP “EXPN” commands, it also causes it to 
reject all SMTP “VERB” commands and to disallow all SMTP “VRFY” commands. These changes 
prevent spammers from using the “EXPN” and “VRFY” commands in Sendmail. Ordinarily, 
anyone may examine the mail queue’s contents by using the “mailq” command. To restrict who 
may examine the queue’s contents, you must specify the “rest rictmailq’ option as shown 
above. With this option, Sendmail allows only users who are in the same group as the group 
ownership of the queue directory (root) to examine the contents. This allows the queue directory 
to be fully protected with mode 0700, while selected users are still able to see the contents. 
Ordinarily, anyone may process the queue with the “-q” switch. To limit queue processing to 
“root” and the owner of the queue directory, you must specify the “restrictgrun” option too. 














define (* confSAFE_FILE_ENV', ~*~ /home') dnl 

This configuration option limit where in the file system, mailbox files can be written. It does a 
chroot into the specified portion of the file system and adds some other restrictions. In this 
example, we restrict and let people write only in their home directories with the value "/home". 

















FEATURE (*smrsh',~/usr/sbin/smrsh') dnl 

This m4 macro enables the use of “smrsh” (the sendmail restricted shell) instead of the default 
/bin/sh for mailing programs to provide increased security control. With this feature you can 
control what program gets run via e-mail through the /etc/mail/aliases and ~/. forward 
files. The default location for the “smrsh” program is /usr/libexec/smrsh; since we have 
installed “smrsh” in another location, we need to add an argument to the smrsh feature to 
indicate the new placement /usr/sbin/smrsh. The use of “smrsh” is recommended by CERT, 
so you are encouraged to use this feature as often as possible. 
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FEATURE (~mailertable’ ) dnl 

This m4 macro enables the use of “mailertable” (database selects new delivery agents). A 
mailertable is a database that maps “host .domain” names to special delivery agent and 
new domain name pairs. With this feature, mail can be delivered through the use of a specified or 
particular delivery agent to a new domain name. Usually, this feature must be available only on a 
Central Mail Hub server. 

















FEATURE (*\virtusertable', hash -o /etc/mail/virtusertable') dnl 

This m4 macro enables the use of “virtusertable” (Support for virtual domains), which allow 
multiple virtual domains to be hosted on one machine. A virtusertable is a database that 
maps virtual domains into new addresses. With this feature, mail for virtual domains can be 
delivered to a local, remote, or single user address. Usually this feature must be available only on 
a Central Mail Hub server. 














FEATURE (° redirect’) dnl 

This m4 macro enables the use of “redirect” (support for address.REDIRECT). With this 
feature, mail addressed to a retired user account “gmourani”, for example, will be bounced with 
an indication of the new forwarding address. The retired accounts must be set up in the aliases 
file on the mail server. Usually this feature must be available only on a Central Mail Hub server. 














FEATURE (° always_add_domain’ ) dnl 

This m4 macro enables the use of “always_add_domain” (add the local domain even on local 
mail). With this feature, all addresses that are locally delivered will be fully qualified. It is safe and 
recommended to set this feature for security reasons. 














FEATURE (*relay_hosts_only')dnl 

This m4 macro enables the use of “relay_hosts_only”. Normally domains are listed in 
/etc/mail/relay-domains and any domain names listed in this file are accepted for relaying. 
With this feature, each host in a domain must be listed. This mean that domain name like 
"openna.com" listed in this file is not enough to be accepted for relaying and you must add the 
host name like "host 1.openna.com" to the domain name for the system to accept relaying. 














FEATURE (° use_cw_file’)dnl 

This m4 macro enables the use of “use_cw_file” (use /etc/mail/local-host-names file 
for local hostnames). With this feature you can declare a list of hosts in the /etc/mail/local- 
host-—names file for which the local host is acting as the MX recipient. In other word this feature 
causes the file /etc/mail/local-host-—names to be read to obtain alternative names for the 
local host. 














FEATURE (° local_procmail’ ) dnl 
This m4 macro enables the use of “local_procmail” (use procmail as local delivery agent). 
With this feature you can use procmail aS a Sendmail delivery agent. 














FEATURE (° access_db') dnl 

This m4 macro enables the access database feature. With this feature you have the ability 
through the access db to allow or refuse to accept mail from specified domains. Usually this 
feature must be available only in a Central Mail Hub server. 























FEATURE (*blacklist_recipients') dnl 

This m4 macro enables the ability to block incoming mail for certain recipient usernames, 
hostnames, or addresses. With this feature you can, for example, block incoming mail to user 
nobody, host foo.mydomain.com, Of guest @bar.mydomain.com. 
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FEATURE (° dnsb1') dnl 

This m4 macro enables Sendmail to automatically reject mail from any site in the Realtime 
Blackhole List database "rb1.maps.vix.com". The DNS based rejection is a database 
maintained in DNS of spammers. For details, see "http: //maps.vix.com/rbl1/". 














MAILER(* local’), MAILER(* smtp’), and MAILER(*procmail’)dnl 
This m4 macro enables the use of “local”, “smtp”, and “procmail” as delivery agents (in 
Sendmail by default, delivery agents are not automatically declared). With this feature, you can 
specify which ones you want to support and which ones to ignore. The MAILER (* local’), 
MAILER (> smtp’), and MAILER(* procmail’ ) options cause support for local, smtp, 
esmtp, smtp8, relay delivery agents and procmail to be included. It’s important to note that 


MAILER (* smtp’) should always precede MAILER (* procmail’). 



































WARNING: Sometimes, a domain with which you wish to continue communications may end up in 
the RBL list. In this case, Sendmail allows you to override these domains to allow their e-mail to 
be received. To do this, simply edit the /etc/mail/access file and add the appropriate domain 
information. 


For example: 
blacklisted.domain OK 





Step 2 

Now that our macro configuration file “sendmail .mc” is configured and created to correspond to 
our specific needs, we can build the Sendmail configuration file “sendmail.cf” with these 
commands. 


e To build the sendmail.cf configuration file, use the following commands: 
[root@deep /]# ed /etc/mail/ 
[root@deep mail]# m4 /var/tmp/sendmail-8.11.4/cf£/m4/cf.m4 sendmail.mc > 
/etc/mail/sendmail.cf 








NOTE: Here, the /var/tmp/sendmail-8.11.4/cf/m4/cf.m4 tells the m4 program where to 
look for its default configuration file information. Please note that the Sendmail version may 
change and in this case don’t forget to update the above command line to reflect the change. 





Step 3 
Finally, we must set the mode permission of this file to be (0600 /-rw------- ) and owned by 
the super-user ‘root’ for security reason. 


e To change the mode permissions and ownership of the sendmail.cf file, use the 


following commands: 
[root@deep mail]# chmod 600 sendmail.cf 
[root@deep mail]# chown 0.0 sendmail.cf 
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/etc/mail/access: The Sendmail Access Configuration File 

This section applies only if you chose to install and use Sendmail as a Central Mail Hub Server 
in your system. The “access” database file can be created to accept or reject mail from selected 
domains. For example, you may choose to reject all mail originating from Known spammers. In 
our configuration, we use this file to list all email addresses from which we don’t want to accept 
mails. This is useful to block unsolicited mails coming in our mailbox. 


Step 1 

The files “access” and “access.db” are not required for Local or Neighbor Client setups. It is 
required only if you decide to set up a Central Mail Hub to handle all your mail. Also note that the 
use of a Central Mail Hub will improve the security and the management of other servers and 
clients on your network that run Sendmail. We must change the access configuration file below 
to fit your requirement. The text in bold are the parts of the configuration file that must be 
customized and adjusted to satisfy our needs. 


e Create the access file (touch /etc/mail/access) and add the following lines: 


Description showing below for the format of this file comes from 
the Sendmail source distribution under "cf/README" file. 














The table itself uses mail addresses, domain names, and network 
numbers as keys. For example, 


























spammer@aol.com REJEC 
cyberspammer.com REJEC 
192.168.212 REJEC 








would refuse mail from spammer@aol.com, any user from cyberspammer.com 
(or any host within the cyberspammer.com domain), and any host on the 
192.168.212.* network. 


The value part of the map can contain: 


OK Accept mail even if other rules in the 
running ruleset would reject it, for example, 
if the domain name is unresolvable. 


RELAY Accept mail addressed to the indicated domain 
or received from the indicated domain for 

relaying through your SMTP server. RELAY also 
serves as an implicit OK for the other checks. 


























REJECT Reject the sender or recipient with a general 
purpose message. 





DISCARD Discard the message completely using the 
S#discard mailer. This only works for sender 
addresses (i.e., it indicates that you should 
discard anything received from the indicated 


domain). 
For example: 
cyberspammer.com 550 We don't accept mail from spammers 
okay.cyberspammer.com OK 
sendmail.org OK 
128.32 RELAY 





would accept mail from okay.cyberspammer.com, but would reject mail 
from all other hosts at cyberspammer.com with the indicated message. 
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It would allow accept mail from any hosts in the sendmail.org domain, 
and allow relaying for the 128.32.*.* network. 





You can also use the access database to block sender addresses based on 
the username portion of the address. For example: 





FREE.STEALTH.MAILERG@ 550 Spam not accepted 

















Note that you must include the @ after the username to signify that 
this database entry is for checking only the username portion of the 
sender address. 








If you use like we do in our "sendmail.mc macro configuration: 
FEATURE (‘blacklist_recipients') 


then you can add entries to the map for local users, hosts in your 
domains, or addresses in your domain which should not receive mail: 


badlocaluser 550 Mailbox disabled for this username 

host .mydomain.com 550 That host does not accept mail 

user@otherhost.mydomain.com 550 Mailbox disabled for this recipient 
This would prevent a recipient of badlocaluser@mydomain.com, any 
user at host.mydomain.com, and the single address 
user@otherhost.mydomain.com from receiving mail. Enabling this 
feature will keep you from sending mails to all addresses that 
have an error message or REJECT as value part in the access map. 
Taking the example from above: 



































spammer@aol.com REJEC 
cyberspammer.com REJEC 























Mail can't be sent to spammer@aol.com or anyone at cyberspammer.com. 


# 
home .com DISCARD 
china.com DISCARD 








WARNING: Don’t forget to specify in this file “access” all unsolicited email addresses that you 
don’t want to receive email from. 





Step 2 
Once the access file has been configured to fit our requirement, we must use the “makemap” 
utility program of Sendmail to create the database map of this file. 


e Tocreate the “access database map”, use the following command: 
[root@deep /]# makemap hash /etc/mail/access.db < /etc/mail/access 








NOTE: Each time you add or modify information in the access configuration file of Sendmail, 
it's important to rerun the makemap utility as shown above to regenerate the access. db file and 
to update its internal information. Also don’t forget to restart Sendmail for the changes to take 
effect. 
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Step 3 
Finally, we must set the mode permission of these files to be (0600 /-rw------- ) and owned by 
the super-user ‘root’ for security reason. 


e To change the mode permission and ownership of the access and access.db files, use 
the following commands: 
[root@deep mail]# chmod 600 access 
[root@deep mail]# chmod 600 access.db 
[root@deep mail]# chown 0.0 access 
[root@deep mail]# chown 0.0 access.db 


/etc/mail/relay-—domains: The Sendmail Relay Configuration File 

This section applies only if you chose to install and use Sendmail as a Central Mail Hub Server 
in your system. With the new release of Sendmail, now relaying is denied by default (this is an 
Anti-Spam feature) and if you want to allow some hosts in your network to relay through your mail 
server, you must create and use the “relay—domains’ file to list each FOND of servers allowed 
to relay through your Mail Server. 


Step 1 
e Create the relay—domains file (touch /etc/mail/relay-domains) and add the 
following lines: 


localhost 

www.openna.com 
nsl.openna.com 
ns2.openna.com 


In the above example, we allow localhost, www.openna.com, nsl.openna.com, and 
ns2.openna.com to relay through our Mail Server. 


Step 2 
Finally, we must set the mode permission of this file to be (0600 /-rw------- ) and owned by 
the super-user ‘root’ for security reason. 


e To change the mode permission and ownership of the relay-domains file, use the 
following commands: 
[root@deep mail]# chmod 600 relay-domains 
[root@deep mail]# chown 0.0 relay-domains 


/etc/mail/aliases: The Sendmail Aliases Configuration File 

This section applies only if you chose to install and use Sendmail as a Central Mail Hub Server 
in your system. Aliasing is the process of converting one local recipient name on the system into 
another (aliasing occurs only on local names). Example uses are to convert a generic name (such 
as root) into a real username on the system, or to convert one name into a list of many names 
(for mailing lists). 


Step 1 

For every envelope that lists a local user as a recipient, Sendmail looks up that recipient’s name 
in the “aliases” file. Because Sendmail may have to search through thousands of names in 
the “aliases” file, a copy of the file is stored in a separate “db” database format file to 
significantly improve lookup speed. 
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If you configure your Sendmail to use a Central Server (Mail Hub) to handles all mail, you don’t 
need to create the “aliases” and “aliases.db’ files on the neighbor server or client machines. 
We must change the aliases configuration file below to fit our requirement. 


e Create the aliases file (touch /etc/mail/aliases) and add the following lines by 














default: 

# Basic system aliases -- these MUST be present. 
MATLER-DAEMON: postmaster 

postmaster: root 


# General redirections for pseudo accounts. 





bin: root 
daemon: root 
nobody: root 
mailnull: root 


# Person who should get root's mail 
#root: gmourani 








NOTE: Your aliases file will be probably far more complex, but even so, note how the example 
shows the minimum form of aliases. 





Step 2 
Since /etc/mail/aliases is a database, after creating the text file as described above, you 
must use the “makemap” program of Sendmail to create its database map. 


e Tocreate the “aliases database map”, use the following command: 
[root@deep /]# makemap hash /etc/mail/aliases.db < /etc/mail/aliases 








NOTE: Don’t forget to run the newaliases utility of Sendmail after each modification of the 
aliases file or your changes will not take effect. 


When you start having a lot of aliases in your /etc/mail/aliases file, it's sometimes better to 
put huge alias lists in seperate files. Sendmail allows you to tell it to read email addresses for a 
file, instead of listing them in /etc/mail/aliases. Use parameter like 
“:;include:/path/to/file in place of email addresses in /etc/mail/aliases to do it. 


As an example you can put the following in your /etc/mail/aliases file: 
list: :include: /etc/mail/openna.txt 





By adding for example the above line into your /etc/mail/alliases file, all email address for 
alias list will be read from /etc/mail/openna.txt. The format of file openna.txt is email 
addresses separated by comma. 
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Step 3 
Finally, we must set the mode permission of these files to be (0600 /-rw------- ) and owned by 
the super-user ‘root’ for security reason. 


e To change the mode permission and ownership of the aliases and aliases. db files, 


use the following commands: 

[root@deep mail]# chmod 600 aliases 
[root@deep mail]# chmod 600 aliases.db 
[root@deep mail]# chown 0.0 aliases 
[root@deep mail]# chown 0.0 aliases.db 


/etc/mail/virtusertable, domaintable, mailertable: The 
Sendmail DB Hash Table Files 

This section applies only if you chose to install and use Sendmail as a Central Mail Hub Server 
in your system. All of these files relate to particular features of Sendmail that can be tuned by 


the system administrator. Once again, these features are usually required only in the Central Mail 
Hub server. The following is the explanation of each one. 


The virtusertable & virtusertable. db files: 

A virtusertable is a database that maps virtual domains into news addresses. With this 
feature, mail for virtual domain on your network can be delivered to local, remote, or a single user 
address. 


The domaintable & domaintable. db files: 
A domaintable is a database that maps old domain to a new one. With this feature, multiple 
domain names on your network can be rewritten from the old domain to the new. 


The mailertable & mailertable. db files: 

A mailertable is a database that maps “host .domain” names to special delivery agent and 
new domain name pairs. With this feature mail on your network can be delivered through the use 
of a particular delivery agent to a new local or remote domain name. 





e Tocreate the virtusertable, domaintable, mailertable, and their corresponding 
“ db’ files into /etc/mail directory, use the following commands: 


[root@deep /]# for map in virtusertable domaintable mailertable 
> do 

> touch /etc/mail/${map} 

> chmod 0600 /etc/mail/${map} 

> makemap hash /etc/mail/${map}.db < /etc/mail/${map} 

> chmod 0600 /etc/mail/${map}.db 

> done 


/etc/mail/null.mc: The Sendmail Null Client Macro File 

This section applies only if you chose to install and use Sendmail as a Standalone Mail Server 
in your system. Since our local clients machines never receive mail directly from the outside 
world, and relay (send) all their mail through the Mail Hub server, we will create a special file 
called “nul1.mc”, which, when later processed, will create a customized “sendmail.cf” 
configuration file that responds to this special setup for our neighbor or local server client 
machines. 
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Step 1 

This m4 macro file is simple to create and configure because it doesn’t need a lot of features, as 
the macro configuration file (sendmail .mc) for the Central Mail Hub server did. We must change 
the null.mc macro configuration file below to fit our requirements and operating system. The 
text in bold are the parts of the configuration file that must be customized and adjusted to satisfy 
our needs. 


e Create the null.mc file (touch /etc/mail/null.mc) and add the following lines: 


VERSIONID (‘linux setup for LINUX OpenNA Boreas') dnl 
OSTYPE (* linux') dnl 

DOMAIN (* generic’ ) dnl 

FEATURE (“nullclient', \boreas.openna.com') dnl 

define (*‘confPRIVACY_FLAGS', 
‘authwarnings, goaway, restrictmailq, restrictqrun') dnl 
define (~ confSAFE_FILE_ENV', ~/home') dnl 

undefine (‘ALIAS FILE') dnl 


This tells nu11.mc file to set itself up for this particular configuration setup with: 


OSTYPE (° linux’ ) 

This configuration option specifies the default operating system Sendmail will be running on, in 
our case, the “linux” system. This item is one of the minimal pieces of information required by 
the “mc” file. 





DOMAIN (° generic’ ) 
This configuration option will specify and describe a particular domain appropriate for your 
environment. 











FEATURE (*“nullclient', boreas.openna.com"') 

This m4 macro sets your clients machines to never receive mail directly, to send their mail to a 
Central Mail Hub, and relay all mail through that server rather than sending directly. This feature 
creates a stripped down configuration file containing nothing but support for forwarding all mail to 
a Mail Hub via a local SMTP-based network. The argument ‘boreas.openna.com included in 
this feature is the canonical name of that Mail Hub. You should, of course, CHANGE this 
canonical name to reflect your Mail Hub Server for example: FEATURE (*nullclient',- 
my.mailhub.com'). 

















define (° confPRIVACY_FLAGS',  authwarnings, goaway, restrictmailq, restrictgq 
run')dnl 

As for the previous sendmail .mc file, this configuration option is one of the most important for 
the security of Sendmail. Setting the “goaway” option causes Sendmail to disallow all SMTP 
“EXPN” commands, it also causes it to reject all SMTP “VERB” commands and to disallow all 
SMTP “VRFY” commands. These changes prevent spammers from using the “EXPN” and 
“VRFY” commands in Sendmail. Ordinarily, anyone may examine the mail queue’s contents by 
using the “mailq’ command. To restrict who may examine the queue’s contents, you must 
specify the “restrictmailq’ option as shown above. With this option, Sendmail allows only 
users who are in the same group as the group ownership of the queue directory (root) to 
examine the contents. This allows the queue directory to be fully protected with mode 0700, while 
selected users are still able to see the contents. Ordinarily, anyone may process the queue with 
the “—q’” switch. To limit queue processing to “root” and the owner of the queue directory, you 
must specify the “rest rictqrun” option too. 
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define (* confSAFE_FILE_ENV',~ /home') dnl 

This configuration option limit where in the file system, mailbox files can be written. It does a 
chroot into the specified portion of the file system and adds some other restrictions. In this 
example, we restrict and let people write only in their home directories with the value "/home". 














undefine(° ALIAS _FILE') 

This configuration option prevents the nullclient version of Sendmail from trying to access 
/etc/mail/aliases and /etc/mail/aliases. db files. With the adding of this line in the 

“ mc” file, you don’t need to have an “aliases” file on all your internal neighbor client Sendmail 
machines. Aliases files are required only on the Mail Hub Server for all server and client aliases 
on the network. 











WARNING: Don’t forget to change the example canonical name ‘boreas.openna.com to reflect 
your own Mail Hub Server canonical name for example: FEATURE (*nullclient',~ 

my .mailhub.com' ). With this kind of configuration, we remark that no mailers should be 
defined, and no aliasing or forwarding is done. 

















Step 2 

Now that our macro configuration file “nul 1.mc” is created, we can build the Sendmail 
configuration file “sendmail.c£” from these statements in all our neighbor servers, and client 
machines with the following commands: 


e To build the sendmail.cf configuration file, use the following commands: 
[root@deep /]# ed /etc/mail/ 
[root@deep mail]# m4 /var/tmp/sendmail-8.11.4/cf£/m4/cf.m4 null.mc > 
/etc/mail/sendmail.cf 


Step 3 

No mail should ever again be delivered to your local machine. Since there will be no incoming 
mail connections, you no longer needed to run Sendmail as a full daemon on your neighbor or 
local server, client machines. 


e Tostop the Sendmail daemon from running on your neighbor or local server, or client 
machines, edit or create the /etc/sysconfig/sendmail file and change/add the lines 
that read: 


DAEMON=yes 





To read: 


DAEMON=no 


And: 





QUEUE=1h 


























NOTE: The “QUEUE=1h” under /etc/sysconfig/sendmail file causes Sendmail to process 
the queue once every 1 hour. We leave that line in place because Sendmail still needs to 
process the queue periodically in case the Central Mail Hub Server is down. 
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Step 4 

Local machines never use aliases, access, or other maps database. Since all map file 
databases are located and used on the Central Mail Hub Server for all local machines we may 
have on the network, we can safety remove the following binary and manual pages from all our 
local machines. 


/usr/bin/newaliases 
/usr/share/man/manl/newaliases.1 
/usr/share/man/man5/aliases.5 


e Toremove the following files from your system, use the commands: 
[root@client /]# rm -f /usr/bin/newaliases 
[root@client /]# rm -f /usr/share/man/manl1/newaliases.1 
[root@client /]# rm -f /usr/share/man/man5/aliases.5 


Step 5 

Remove the unnecessary Procmail program from your entire local Sendmail server or client. 
Since local machines send all internal and outgoing mail to the Mail Hub Server for future 
delivery, we don’t need to use a complex local delivery agent program like Procmail to do the 
job. Instead we can use the default /bin/mail program of Linux. 


e Toremove Procmail from your system, use the following command: 
[root@client]# rpm -e procmail 


Step 6 
Finally, we must set the mode permission of the sendmail.ctf file to be (0600/-rw------- ) 
and owned by the super-user ‘root’ for security reason. 


e To change the mode permission and ownership of the sendmail.cf file, use the 
following commands: 
[root@deep mail]# chmod 600 /etc/mail/sendmail.cf 
[root@deep mail]# chown 0.0 /etc/mail/sendmail.cf 


/etc/mail/local-host-names: The Sendmail Local Configuration File 
This section applies to every kind of Sendmail servers that you may want to run in your system. 
The /etc/mail/local-host-names file is read to obtain alternative names for the local host. 
One use for such a file might be to declare a list of hosts in your network for which the local host 
is acting as the MX recipient. On that machine we simply need to add the names of machines for 
which it (i.e. boreas.openna.com) will handle mail to /etc/mail/local-host-names. Here 
is an example: 


e Create the local-host-names file (touch /etc/mail/local-host-names) and 
add the following lines: 


# local-host-names - include all aliases for your machine here. 
openna.com 

smtp.openna.com 

gurukuan.com 

domain.com 
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With this type of configuration, all mail sent will appear as if it were sent from “openna.com’, 
“gurukuan.com” or “domain.com”. 


Please be aware that if you configure your system to masquerade as another, any e-mail sent 
from your system to your system will be sent to the machine you are masquerading as. For 
example, in the above illustration, log files that are periodically sent to 
root@cronus.openna.comor the other hosts in the example above by the cron daemon of 
Linux would be sent to root @boreas.openna.com our Central Mail Hub Server. 








WARNING: Do not use the local—host-names file of Sendmail on any Mail Server that run as a 
Standalone Server or the masquerading feature of your Sendmail Server which is configured, as 
a Central Mail Hub Server will not work. Only your Mail Hub Server must have in local-host- 
names file all the names of the host on your LAN. Every Llocal-host-names file on internal 
servers where you've used the nul1.mc client macro file must be empty. After that, all you have 
to do is to point all your internal clients to the Central Mail Hub Server to get email. 





/etc/sysconfig/sendmail: The Sendmail System Configuration File 
This section applies to every kind of Sendmail servers that you may want to run in your system. 
The /etc/sysconfig/sendmail file is used to specify SENDMAIL system configuration 
information, such as if Sendmail should run as a daemon, if it should listen for mail or not, and 
how much time to wait before sending a warning if messages in the queue directory have not 
been delivered. 





e Create the sendmail file (touch /etc/sysconfig/sendmail) and add the lines: 


DAEMON=yes 
QUEUE=1h 

















The “DAEMON=yes’” option instructs Sendmail to run as a daemon. This line is useful when 
Sendmail client machines are configured to not accept mail directly from outside in favor of 
forwarding all local mail to a Central Hub; not running a daemon also improves security. If you 
have configured your server or client machines in this way, all you have to do is to replace the 
“DAEMON=yes’” option to “DAEMON=no”. 





Mail is usually placed into the queue because it could not be transmitted immediately. The 
“QUEUE=1h’ sets the time interval before sends a warning to the sender if the messages has not 
been delivered. 














/etc/re.d/init.d/sendmail: The Sendmail Initialization File 

This section applies to every kind of Sendmail servers that you may want to run in your system. 
The /etc/rce.d/init.d/sendmail script file is responsible to automatically start and stop the 
sendmail daemon on your server even if you’re not running a Mail Hub Server. Loading the 
sendmail daemon, as a standalone daemon will eliminate load time and will even reduce 
swapping since non-library code will be shared. 
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Step 1 
Create the sendmail script file (touch /etc/rce.d/init.d/sendmail) and add the 
following lines: 








i 


!/bin/sh 


sendmail This shell script takes care of starting and stopping 
sendmail. 


chkconfig: 2345 80 30 

description: Sendmail is a Mail Transport Agent, which is the program \ 
that moves mail from one machine to another. 

processname: sendmail 

config: /etc/sendmail.cf 

pidfile: /var/run/sendmail.pid 


Source function library. 
/etc/init.d/functions 


Source networking configuration. 
/etc/sysconfig/network 


Source sendmail configureation. 
f [ -f /etc/sysconfig/sendmail ] ; then 




































































/etc/sysconfig/sendmail 
else 
DAEMON=no 
QUEUE=1h 
fi 
# Check that networking is up. 
[ S{NETWORKING} = "no" ] && exit 0 
[ -£ /usr/sbin/sendmail ] || exit 0 
RETVAL=0 
start() { 
# Start daemons. 
echo -n "Starting Sendmail: " 
/usr/bin/newaliases > /dev/null 2>é&1 
for i in virtusertable access domaintable mailertable ; do 
if [ -f£ /etc/mail/$i ] ; then 
makemap hash /etc/mail/$i < /etc/mail/$i 
Pi. 
done 
daemon /usr/sbin/sendmail $([ "SDAEMON" = yes ] && echo -bd) \ 
$([ -n "SQUEUE" ] && echo -—qSQUEUE) 
RETVAL=$? 
echo 
[ SRETVAL -eq 0 ] && touch /var/lock/subsys/sendmail 
return SRETVAL 
} 
stop() { 


# Stop daemons. 
echo -n "Shutting down Sendmail: " 
killproc sendmail 














RETVAL=S? 
echo 
[ SRETVAL -eq 0 ] && rm -f /var/lock/subsys/sendmail 
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return SRETVAL 





} 


# S how we were called. 
case "S1" in 
start) 
SCaAEL 





stop) 
stop 
a 

restart |reload) 
stop 
start 
RETVAL=S? 

condrestart) 
if [ -f£ /var/lock/subsys/sendmail ]; then 

stop 
start 
RETVAL=S? 








; 
) 

status sendmail 
RETVAL=S? 


vr 





echo "Usage: sendmail {start|stop|restart|condrestart|status}" 
exit 1 


exit SRETVAL 





Step 2 

Once the sendmail script file has been created, it is important to make it executable, change its 
default permissions, create the necessary links and start it. Making this file executable will allow 
the system to run it, changing its default permission is to allow only the root user to change this 
file for security reason, and creation of the symbolic links will let the process control initialization 
of Linux which is in charge of starting all the normal and authorized processes that need to run at 
boot time on your system to start the program automatically for you at each reboot. 


e To make this script executable and to change its default permissions, use the commands: 
root@deep / chmod 700 /etc/re.d/init.d/sendmail 
root@deep / chown 0.0 /etc/re.d/init.d/sendmail 


e Tocreate the symbolic rc.d links for Sendmail, use the following commands: 
root@deep / chkconfig --add sendmail 
root@deep / chkconfig --level 2345 sendmail on 


e Tostart Sendmail software manually, use the following command: 
root@deep / /etc/re.d/init.d/sendmail start 
Starting Sendmail: [OK] 
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NOTE: All software we describe in this book has a specific directory and subdirectory in the tar 
compressed archive named floppy-2.0.tgz containing configuration files for the specific 
program. If you get this archive file, you wouldn’t be obliged to reproduce the different 
configuration files manually or cut and paste them to create or change your configuration files. 
Whether you decide to copy manually or get the files made for your convenience from the archive 
compressed files, it will be to your responsibility to modify them to adjust for your needs, and 
place the files related to this software to the appropriate places on your server. The server 
configuration file archive to download is located at the following Internet address: 
ftp://ftp.openna.com/ConfigFiles-v2.0/floppy-2.0.tgz. 





Step 3 

Once compilation, optimization, installation, and configuration by the use of the m4 macro of the 
Mail Server type you want to run have been finished, we can free up some disk space by deleting 
the program tar archives and the related source directory since they are no longer needed. 


e To delete the programs and its related source directory, use the following commands: 
[root@deep /]# cd /var/tmp/ 
[root@deep tmp]# rm -rf sendmail-version/ 
[root@deep tmp]# rm -f sendmail-version.tar.gz 


The rm commands as used above will remove the source files we have used to compile and 
install Sendmail. It will also remove the Sendmail compressed archive from the /var/tmp/ 
directory. 


Running Sendmail with SSL support 

This section applies only if you want to run Sendmail through SSL connection. Sendmail 
(version 8.11 and above) support SMTP STARTTLS or if you prefer SSL. To enable the encryption 
feature of Sendmail we need to recompile it and add STARTTLS support in the default local 
configuration file called (site.config.m4). This also implies that we need to install an external 
program named sfio, which is required by Sendmail to run with SSL. Of course we assume 
that OpenSSL is already installed in your server. 


To begin our implementation of SSL into Sendmail we will first install the sfio program, 
recompile Sendmail by adding some new options to the ‘site. config.m4’ macro file to 
recognize the add of SSL support, then create the necessary certificate keys and finally add the 
required SSL parameters to the ‘sendmail.mc’ macro file before creating its ‘sendmail.cf’ 
configuration file. Running Sendmail with SSL support is no easy task. Before we embark on 
this, we need to first decide whether it is beneficial for you to do so. Some pros and cons are, but 
most certainly not limited to, the following: 


Pros: 
¥ Client and server of a SMTP connection can be identified. 
v_ The transmission of e-mail between a client and server utilizing STARTTLS cannot be 
read and retranslated into plaintext provided a sufficiently secure cipher suite has been 


negotiated. 


v The plaintext of e-mail between a client and server utilizing STARTTLS cannot be 
modified by someone, provided a sufficiently secure cipher suite has been negotiated. 
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Cons: 


v It does not provide end-to-end encryption, since a user can doesn’t usually control the 
whole transmission. This is in contrast to the use of TLS for http: here the user's client (a 
WWW browser) connects directly to the server that provides the data. E-mail can be 
transferred via multiple hops of which the sender can control at most the first. 


v It does not provide message authentication, unless the e-mail has been sent directly from 
the client's (STARTTLS-capable) MUA to the recipients MTA that must record the client's 
certificate. Even then the message might be faked during local delivery. 


Part 1: Compiling, Optimizing & Installing sfio 

This section applies only if you want to run Sendmail through an SSL connection. Sfioisa 
portable library for managing I/O streams. It provides functionality similar to that of St dio, the 
ANSI C Standard I/O library, but via a new interface that is more powerful, robust and efficient. 
Please note that the Sendmail organization don’t recommend to use sfi02000 but sfi01999. 
For some (as for now unknown) reason, the version of sfi02000 doesn't work with Sendmail 
and it is for this reason that we will download and install sfi01999. 


Step 1 
Once you get the programs from the sfio website (http://www.research.att.com/sw/tools/sfio/) or 


directly from http://www.research.att.com/tmp/reuse/pkgBAAa2jzfD/sfio_1999.src.unix.cpio, you 
must copy it to the /var/tmp directory of your Linux system and change to this location before 
creating an installation directory for the package. After that, move the package to the installation 
directory to expand the archive then perform the rest of the required steps to compile, optimize 

and install it. 


root@deep /]# cp sfio0_1999.src.unix.cpio /var/tmp/ 

root@deep /]# cd /var/tmp/ 

root@deep tmp]# mkdir sfio 

root@deep tmp]# cp sfio_1999.src.unix.cpio sfio 

root@deep tmp]# cd sfio 

root@deep sfio]# cpio -i --make-directories < sfio_1999.src.unix.cpio 
1258 blocks 
root@deep sfio]# mkdir include/sfio 

root@deep sfio]# PATH=/sbin:/bin:/usr/bin: /usr/sbin:/var/tmp/sfio/bin 
root@deep sfio]# ed srce/lib/sfio/ 














Hey! We see here a new command called ‘cpio’. Yes, cpio is a program that copies files into or 
out of a cpio or tar archive. The sfio package we have download comes in a cpio archive 
format and the way to uncompress it, is by using the cpio command (for more information about 
cpio read the manual page man cpio (1)). 


Note the PATH command, the sfio build instruction say that we should change our shell PATH 
variable to include ". /bin" so that the program "i ffe" which resides under". /bin" will be 
available in our search path. If fe (IF Features Exist) is a language interpreter to execute 
specifications that define configuration parameters for the sfio program. By redefining our PATH 
environment as shown above, the /var/tmp/sfio/bin directory which handle iffe will be 
included in our environment variable. Once our PATH as been set, we move to the source code 
directory of the program. 
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Step 2 

There is a small bug in the sfi0o-1999, which manifests itself when Sendmail is delivering to 
the file (. forward -> /var/spoll/mail/user) and the user quota is exceeded. The 
problem is in sfio/src/lib/sfio/sfputr.c (puts), it doesn't check for an error from 
_sfflsbuf () (in macro SFWPEEK ()) - if an error occurs, it starts endless loop. We must fix it 
now. 














e Edit the sfputr.cfile (vi +27 sfputr.c) and modify the part: 


for(w = 0; (*s || re >= 0); ) 
{ SFWPEEK (f£,ps,p); 

















if(p == 0 || (f->flags&SF_WHOLE) ) 
{ n = strlen(s); 
if(p >= (n + (re <0? 0: 1)) ) 
To read: 














for(w = 0; (*s || re >= 0); ) 
{ SFWPEEK (f,ps,p); 





if(p == -1) return -1; 
if(p == 0 || (f£->flags&SF_WHOLE) ) 
{ n = strlen(s); 
if(p >= (n & (re < 0? Q@ x 1)) ) 


Step 3 

Finally, before going into the compilation of the program, we'll edit the makefile and Makefile 
files to change the default compiler flags to fit our own CPU architecture for better performance. 
We will also change the sfio include file st dio-h to install it into a subdirectory called sfio as 
Sendmail recommends. 


e =©Edit the makefile file (vi makefile) and change the line: 
INCDIR= ../../../include 


To read: 


INCDIR= ../../../include/sfio 


e Edit the makefile file (vi makefile) and change the line: 


CCMODE= -O 





To read: 


CCMODE= -O3 -march=i686 -mcpu=i686 -funroll-loops -fomit-—frame-pointer 


e Edit the makefile file (vi makefile) and change the line: 
CC= cc 


To read: 
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CCc= gcc 
e Edit the Makefile file (vi Makefile) and change the line: 
CCFLAGS = -O 
To read: 
CCFLAGS = -O03 -march=i686 -mcpu=i686 -funroll-loops -fomit-—frame—pointer 


Step 4 

Now, we must make a list of files on the system before you install the software, and one 
afterwards, then compare them using the dif¢€ utility to find out what files were placed where and 
finally install sfio in the system. Also we will run the test utility program “runtest” that comes 
with the software to be sure that everythings right. 


root@deep sfio]# make 

root@deep sfio]# ed Sfio_t/ 

root@deep Sfio_t]# ./runtest 

root@deep Sfio_t]# ed 

root@deep /root]# find /* > sfiol 

root@deep /root]# ed /var/tmp/sfio/ 

root@deep sfio]# mv include/sfio /usr/include/ 
root@deep sfio]# mv 1lib/* /usr/lib 

root@deep sfio] cd 

root@deep /root]# find /* > sfio2 

root@deep /root]# diff sfiol sfio2 > Sfio-Installed 




















WARNING: You may receive a couple error messages during compilation of the program. | don't 
know why these errors occurs but forget them and compile again with the make command from 
where the error appears. 





Step 5 

Once compilation, optimization, and installation of the software have been finished, we can free 
up some disk space by deleting the program cpio archive and the related source directory since 
they are no longer needed. 


e To delete the program and its related source directory, use the following commands: 
[root@deep /]# cd /var/tmp/ 
[root@deep tmp]# rm -rf sfio/ 
[root@deep tmp]# rm -£ sfio_1999.src.unix.cpio 


Part 2: Compiling Sendmail to support SSL 

This section applies only if you want to run Sendmail through SSL connection. Once we have 
finished installing sfio itis time to compile Sendmail by adding some new options to its 
‘site.config.m4’ macro file to recognize the add of SSL support. Configuration of the 
‘site.config.m4’ macro file is explained previously in this chapter, at step 6 under “Compiling - 
Optimizing & Installing Sendmail”, but you must complete steps 1 through 5 before going onto 
step 6 which with the addition of SSL support become the one explained next. 
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Step 1 

The only difference between compiling Sendmail without SSL support as described in the 
beginning of this chapter and compiling the software with SSL support resides in the 
‘site.config.m4’ macro file of the program. Inside this file we add some new parameters to 
enable SSL support for program. 


Below I'll show you the new ‘site.config.m4’ macro file to create instead of the one we used 
for Sendmail without SSL support. If you need more information about this macro file, then refer 
to the previous step 6 of this chapter under the section called “Compiling - Optimizing & Installing 
Sendmail”. 


e Create the site.config.m4 file (touch devtools/Site/site.config.m4), and 
add the following lines inside the file to enable SSL support with Sendmail. 

















































































































define (* confMAPDEF', ~—-DMAP_REGEX') 

define (* confENVDEF', ~-DPICKY_QF_NAME CHECK -DXDEBUG=0"') 

define (*confSTDIO_TYPE', ~“portable') 

define(*confINCDIRS', *-I/usr/include/sfio') 

APPENDDEF (*confENVDEF', *-DSFIO') 

APPENDDEF (*confLIBS', *-lsfio') 

APPENDDEF (* conf_sendmail_ENVDEF', ~-DSTARTTLS") 
APPENDDEF (* conf_sendmail_LIBS', *-lssl -lcrypto') 

define(*confCC', “gcc') 

define (* confOPTIMIZE', ~-O3 -march=i686 -mcpu=i686 -funroll-loops -fomit 





frame-pointer') 
define (* confNO_HELPFILE_INSTALL') 














Related to the default local configuration file ‘site.config.m4’ that we use earlier in this 
chapter to install Sendmail, we have added the option “-DHASURANDOMDEV’” to specify to use 
the /dev/urandom device that our system provides, “-DSFIO” to use sfio if available instead 
of the default UNIX st dio, and other macro options related to STARTTLS as shown above. If you 
need more information about all new options we have added to the ‘site. config.m4’ macro 
file of Sendmail refer to your Sendmail documentations available in the source file of the 
program. 





Step 2 

From this point you can return to step 7 of this chapter under the section called “Compiling - 
Optimizing & Installing Sendmai1” and install the software. Once the program has been installed 
you must return here and see how to create the certificate keys, which will be used by the new 
SSL feature of Sendmail. 


To summarize, follow step 1 through step 5 under the section called “Compiling - Optimizing & 
Installing Sendmail’, then replace step 6 of the same section for the one explained above “Part 
2: Compiling Sendmail to support SSL” and return to step 7 to follow the instructions about 
installing Sendmail then come back here. 





Part 3: Creating the necessary Sendmail certificates keys 

This section applies only if you want to run Sendmail through an SSL connection. This part is 
one of the most interesting. Before configuring the ‘sendmail.mc’ macro configuration file of 
Sendmail, it is important to create the appropriate certificate keys since during the configuration 
of the ‘sendmail.mc’ macro file we will add some new macro options which will indicate to 
Sendmail where to find them. 
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Below I'll show you how to create a self-signed certificate with your own CA for Sendmail. The 
principle is exactly the same as for creating a self-signed certificate for a Web Server (as 
described under chapter related to OpenSSL). I'll assume that your own CA has been already 
created, if this is not the case refer to OpenSSL chapter for further information. 


Step 1 

First you have to know the Fully Qualified Domain Name (FQDN) of the Sendmail Mail Hub 
Server for which you want to request a certificate. When your outgoing mail server address is 
boreas.openna.com then the FQDN of your Mail Hub Server is boreas.openna.com 


Step 2 

Make a new certificate for Sendmail. This certificate become our private key and doesn’t need 
to be encrypted. This is required for an unattended startup of Sendmail. Otherwise you will have 
to enter the pass phrase each time Sendmail is started as server or client. To generate an 
unencrypted certificate we use the ‘-nodes’ option as shown below. 


With the ‘-nodes’ option, the private key is not protected by a password, so the server can start 
without external intervention. Without this option, you must provide the password every time the 
server is started. 


e To create a private key certificate without a pass phrase, use the following command: 
[root@deep /]# ed /usr/share/ssl 
[root@deep ssl]# openssl genrsa -rand 
random1:random2:random3:random4:random5 -out smtp.key 1024 
22383 semi-random bytes loaded 
Generating RSA private key, 1024 bit long modulus 
wtttt4t 
shicttensaleuh. oye awoyeveteaxsieliasovensPasabslane Oly saptat coh lle +4++4+4+ 
e is 65537 (0x10001) 


Step 3 

Once the private key has been made, we must generate a Certificate Signing Request (CSR) with 
the server RSA private key. The command below will prompt you for the X.509 attributes of your 
certificate. If you prefer to have your Certificate Signing Request (CSR) signed by a commercial 
Certifying Authority (CA) like Thawte or Verisign you need to post the csr file that will be 
generated below into a web form, pay for the signing, and await the signed Certificate. 


e To generate the CSR, use the following command: 
[root@deep ssl]# openssl req -new -key smtp.key -out smtp.csr 
Using configuration from /usr/share/ssl/openssl.cnf 
You are about to be asked to enter information that will be incorporated 
into your certificate request. 
What you are about to enter is what is called a Distinguished Name or a 
DN. 
There are quite a few fields but you can leave some blank 
For some fields there will be a default value, 
If you enter '.', the field will be left blank. 
Country Name (2 letter code) [CA]: 
State or Province Name (full name) [Quebec 
Locality Name (eg, city) [Montreal]: 
Organization Name (eg, company) [OpenNA.com SMTP Mail Server]: 
Organizational Unit Name (eg, section) []: 
Common Name (eg, YOUR name) [boreas.openna.com]: 

Email Address [noc@openna.com]: 
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Pleas nter the following 'extra' attributes 
to be sent with your certificate request 

A challenge password []: 

An optional company name []: 








WARNING: Be sure that you've entered the FQDN (Fully Qualified Domain Name) of the Outgoing 
Mail Hub Server when OpenSSL prompts you for the “Common Name”. 





Step 4 

This step is needed only if you want to sign as your own CA the csr certificate key. Now we must 
sign the new certificate with our own certificate authority that we have already created for 
generation of the Web Server certificate under the OpenSSL chapter (ca.crt). If the self signed 
CA certificate doesn’t exist, then refer to the chapter related to OpenSSL for more information 
about how to create it. 


e To sign with our own CA, the csr certificate, use the following command: 
[root@deep ssl]# /usr/share/ssl/misc/sign.sh smtp.csr 
CA signing: smtp.csr -> smtp.crt: 
Using configuration from ca.config 
Enter PEM pass phrase: 
Check that the request matches the signature 
Signature ok 
The Subjects Distinguished Name is as follows 





















































countryName :PRINTABLE: 'CA' 

stateOrProvinceName : PRINTABLE: 'Quebec' 

localityName :PRINTABLE: 'Montreal' 

organizationName :PRINTABLE: 'Open Network Architecture' 
commonName : PRINTABLE: 'boreas.openna.com' 
emailAddress : IASSTRING: 'noc@openna.com!' 


Certificate is to be certified until Dec 21 11:36:12 2001 GMT (365 days) 
Sign the certificate? [y/n]:y 


1 out of 1 certificate requests certified, commit? [y/nly 
Write out database with 1 new entries 

Data Base Updated 

CA verifying: smtp.crt <-> CA cert 

smtp.crt: OK 











WARNING: If you receive an error message saying that the csr certificate that you are trying to 
sign already exists, it is because the information you have entered during the generation of the 
certificate key is the same as another which you have already created. In this case you must at 
least, change one bit of information in the new certificate key you want to create before signing 
the certificate with your own CA. 
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Step 5 
After, we must place the certificates files (smtp.key and smtp.crt) to the appropriate 
directories for Sendmail to be able to find them when it will start its daemon. 


e To place the certificates into the appropriate directory, use the following commands: 
[root@deep ssl]# mv smtp.key private/ 
[root@deep ssl]# mv smtp.crt certs/ 
[root@deep ssl]# chmod 400 private/smtp.key 
[root@deep ssl]# chmod 400 certs/smtp.crt 
[root@deep ssl]# rm -f smtp.csr 





] 
] 
] 
] 


First we move the smtp.key file to the private directory and the smtp.crt file to the certs 
directory. After that we change the mode of the both certificates to be only readable by the super- 
user ‘root’ for security reason (if the mode of the certificates are not 0400, then Sendmail will 
refuse to start with SSL support enable). Finally we remove the smtp.csr file from our system 
since it is no longer needed. 


Part 4: Adding the required SSL parameters to the ‘sendmail .mc’ macro file 

This section applies only if you want to run Sendmail through SSL connection. Finally once 
Sendmail certificates have been created and moved to the appropriate location, we must create 
a new ‘sendmail.mc’ macro configuration file which, will contain macro options to indicate 
where certificates can be found. 


Step 1 

Below I'll show you the new ‘sendmail.mc’ macro configuration file to create instead of the one 
we use for Sendmail without SSL support. If you need more information about this macro 
configuration file, then refer to the section called “/etc/mail/sendmail.mc: The Sendmail 
Macro Configuration File” in this chapter. 


e Create the sendmail.mc file (touch /etc/mail/sendmail.mc), and add the 
following lines inside the file to enable SSL support with Sendmail. 


VERSIONID (‘linux setup for LINUX OpenNA Boreas') dnl 

OSTYPE (* linux') dnl 

DOMAIN (* generic’ ) dnl 

define (~ confTRY_NULL_MX LIST',true) dnl 

define (“PROCMAIL_MAILER_PATH', ‘/usr/bin/procmail') dnl 

define (~confPRIVACY_FLAGS', 
‘authwarnings, goaway, restrictmailq, restrictqrun') dnl 

define (*confSAFE_FILE_ENV', ~/home') dnl 

define (*confCACERT_PATH', ~/usr/share/ssl/certs/ca.crt') dnl 
define (*confCACERT', ~‘/usr/share/ssl/certs/ca.crt') dnl 

define (‘confSERVER_CERT', ~‘/usr/share/ssl/certs/smtp.crt') dnl 
define (‘confSERVER_KEY', ~/usr/share/ssl/private/smtp.key') dnl 
define (‘confCLIENT_CERT', ~‘/usr/share/ssl/certs/smtp.crt') dnl 
define (‘confCLIENT_KEY', ~/usr/share/ssl/private/smtp.key') dnl 
FEATURE (*smrsh', ‘/usr/sbin/smrsh') dnl 

FEATURE (“mailertable’,* hash -o /etc/mail/mailertable') dnl 
FEATURE (‘virtusertable', hash -o /etc/mail/virtusertable') dnl 
FEATURE (* redirect’ )dnl 

FEATURE (* always_add_domain’ ) dnl 

FEATURE (*relay_hosts_only') dnl 

FEATURE (*use_cw_file’ )dnl 

FEATURE (* local_procmail’ ) dnl 

FEATURE (*access_db') dnl 

FEATURE (*blacklist_recipients') dnl 

FEATURE (*dnsb1') dnl 
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MAILER (* local’) dnl 
MAILER (* smtp’ ) dnl 
MAILER (*procmail’ ) dnl 


Step 2 

Now that our macro configuration file “sendmail .mc” is configured and created to correspond to 
our specific needs, we can build the Sendmail configuration file “sendmail.ctf” from these 
statements. 


e To build the sendmail.cf configuration file, use the following commands: 


[root@deep /]# ed /etc/mail/ 
[root@deep mail]# m4 /var/tmp/sendmail-8.11.4/cf£/m4/cf.m4 sendmail.mc > 
/etc/mail/sendmail.cf 








NOTE: Here, the /var/tmp/sendmail-8.11.4/cf/m4/cf.m4 tells m4 program where to look 
for its default configuration file information. Please note that the Sendmail version may change 
and in this case don’t forget to update the above command line to reflect the change. Also, your 
Sendmail source directory, from where you have compiled and installed the program, must be 
present on your system for the above command to find the required cf.m4 macro file for the 
generation of your new sendmail.cf file. 





Step 3 
Finally, we must set the mode permission of this file to be (0600 /-rw------- ) and owned by 
the super-user ‘root’ for security reason. 


e Tochange the mode permission and ownership of the sendmail.cf file, use the 
following commands: 
[root@deep mail]# chmod 600 sendmail.cf 
[root@deep mail]# chown 0.0 sendmail.cf 


Step 4 

From this point you can return to the section called “Configuring Sendmail” and perform the rest 
of the steps necessary to configure the other required Sendmail configuration files. Finally come 
back to this section and read below the other security measures you may need to implement to 
improve security under Sendmail. Your software is now installed and configured to use the SSL 
encryption feature. Congratulations! 


Securing Sendmail 


This section deals specifically with actions we can take to improve security under Sendmail. The 
interesting points here are that we refer to the features available within the base installed program 
and not to any additional software. 


The Sendmail restricted shell “smrsh” 

The smrsh program is intended as a replacement for /bin/sh in the program mailer definition of 
Sendmail. It’s a restricted shell utility that provides the ability to specify, through the 
/etc/smrsh directory, an explicit list of executable programs available to Sendmail. 
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To be more accurate, even if a “bad guy” can get Sendmail to run a program without going 
through an aliases or forward file, smrsh limits the set of programs that he or she can execute. 
When used in conjunction with Sendmail, smrsh effectively limits Sendmail's scope of 
program execution to only those programs specified in smrsh's directory. If you have followed 
what we did above, smrsh program is already compiled and installed on your computer under 
/usr/sbin/smrsh. 


Step 1 
The first thing we need to do is to determine the list of commands that “smrsh” should allow 
Sendmail to run. 


By default we include, but are not limited to: 


“/bin/mail” 


‘“/usr/bin/procmail” (if you have it installed on your system) 





WARNING: You should NOT include interpreter programs such as sh (1), csh(1), perl (1), 
uudecode (1) or the stream editor sed (1) in your list of acceptable commands. 





Step 2 

You will next need to populate the /etc/smrsh directory with the programs that are allowable for 
Sendmail to execute. To prevent duplicate programs, and do a nice job, it is better to establish 
links to the allowable programs from /etc/smrsh rather than copy programs to this directory. 


e To allow the mail program /bin/mail, use the following commands: 
[root@deep /]# ed /etc/smrsh 
[root@deep smrsh]# 1n -s /bin/mail mail 


e To allow the procmail program /usr/bin/procmail, use the following commands: 
[root@deep /]# ed /etc/smrsh 
[root@deep smrsh]# 1n -s /usr/bin/procmail procmail 


This will allow the mail and procmail programs to be run from a user's “. forward” file or an 
“aliases” file which uses the "program" syntax. 








NOTE: Procmail is required only in a Mail Hub Server and not in a Local Client Mail Server. If 
you're configured your system like a Mail Hub Server then make the link with procmail as 
explained above, if you’re configured your system as a Local Client Server then skip the 
procmail step above. 
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Step 3 

We can now configure Sendmail to use the restricted shell. The program mailer is defined by a 
single line in the Sendmail configuration file, /etc/mail/sendmail.cf. You must modify this 
single line “Mprog” definition in the “sendmail.cf£” file, by replacing the /bin/sh specification 
with /usr/sbin/smrsh. 


e Edit the sendmail .cf file (vi /etc/mail/sendmail.cf) and change the line: 


Mprog, P=/bin/sh, F=lsDFMoqeu9, S=10/30, R=20/40, D=Sz:/, T=X-Unix, A=sh 
-c Su 


To read: 


Mprog, P=/usr/sbin/smrsh, F=lsDFMogeu9, S=10/30, R=20/40, D=$z:/, T=X- 
Unix, A=sh -c Su 


e Now re-start the Sendmail process manually with the following command: 
[root@deep /]# /ete/re.d/init.d/sendmail restart 
Shutting down sendmail: [OK] 
Starting sendmail: [OK] 








NOTE: In our “sendmail .mc” configuration file for the Mail Hub Server above, we have already 
configured this line “Mprog” to use the restricted shell /usr/sbin/smrsh with the m4 macro 
“FEATURE (\smrsh', > /usr/sbin/smrsh')”, So don't be surprised if the /usr/sbin/smrsh 
specification is already set in your /etc/mail/sendmail.cf file for the Mail Hub relay. 
Instead, use the technique shown above for other /etc/mail/sendmail.cf files in your 
network like the one for the nullclient (“local or neighbor client and servers”) that use the 
“null.mc” macro configuration file to generate the /etc/mail/sendmail.cf file. 

















The /etc/mail/aliases file 

A poorly or carelessly administered “aliases” file can easily be used to gain privileged status. 
For example, many vendors ship systems with a “decode” alias in the /etc/mail/aliases 
file. The intention is to provide an easy way for users to transfer binary files using mail. At the 
sending site the user converts the binary to ASCII with “uuencode”, then mails the result to the 
“decode” alias at the receiving site. That alias pipes the mail message through the 
/usr/bin/uuencode program, which converts the ASCII back into the original binary file. 


Remove the “decode” alias line from your /etc/mail/aliases file. Similarly, every alias that 
executes a program that you did not place there yourself and checked completely should be 
questioned and probably removed. 


e Edit the aliases file (vi /etc/mail/aliases) and remove the following lines: 


# Basic system aliases -- these MUST be present. 
MATILER-DAEMON: postmaster 
postmaster: root 














# General redirections for pseudo accounts. 


bin: root 
daemon: root 
games: root € remove this line. 
ingres: root € remove this line. 
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nobody: root 
system: root € remove this line. 
toor: root € remove this line. 
uucp: root € remove this line. 


# Well-known aliases. 


manager: root € remove this line. 
dumper: root € remove this line. 
operator: root € remove this line. 


# trap decode to catch security attacks 
decode: root € remove this line. 


# Person who should get root's mail 
#root: marc 


For the changes to take effect you will need to run: 
[root@deep /]# /usr/bin/newaliases 





NOTE: Don’t forget to rebuild your aliases file with the newaliases command of Sendmail for 
the changes to take effect. 








The SMTP greeting message 
When Sendmail accepts an incoming SMTP connection it sends a greeting message to the other 
host. This message identifies the local machine and is the first thing it sends to say it is ready. 


Edit the sendmail .cf file (vi /etc/mail/sendmail.cf) and change the line: 





O SmtpGreetingMessage=$j Sendmail $v/$Z; $b 
To read: 


O SmtpGreetingMessage=$ j 


Now re-start the Sendmail process manually for the change to take effect: 
[root@deep /]# /ete/re.d/init.d/sendmail restart 

Shutting down sendmail: [OK] 

Starting sendmail: [OK] 


This change doesn't actually affect anything, but was recommended by folks in the 
news.admin.net-—abuse.email newsgroup as a legal precaution. It modifies the banner, 
which Sendmail displays upon receiving a connection. 


Change all the default Sendmail files mode into the /etc/mail directory 

For the paranoids, we can change the default mode of all Sendmail files under the /etc/mail 
directory to be readable and writable only by the super-user ‘root’. There are no reasons to let 
everyone read access to these files. 


To change the mode of all files under /etc/mail directory, use the following command: 
[root@deep /]# chmod 600 /etc/mail/* 
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The undisclosed recipients mail message 

One of the biggest problems in an ISP environment is the undisclosed recipients mail message 
that the users send to a lot of people. It's like spamming, but in a minor grade. There is a feature 
to stop this by changing the sendmail.cf file the default value of the 
MaxRecipientsPerMessage macro option. 





By default, Sendmail limits the number of recipients that a mail can have to 100. 
A good value for start testing it is 30. 


e Edit the sendmail .cf file (vi /etc/mail/sendmail.cf) and change the line: 





# maximum number of recipients per SMTP envelope 
#0 MaxRecipientsPerMessage=100 





To read: 


# maximum number of recipients per SMTP envelope 
#0 MaxRecipientsPerMessage=30 


Set the immutable bit on important Sendmail files 

Important Sendmail files can have their immutable bit set for better security with the “chattr” 
command of Linux. A file with the “+1” attribute cannot be modified, deleted or renamed; No link 
can be created to this file, and no data can be written to the file. Only the super-user can set or 

clear this attribute. 


e Set the immutable bit on the “sendmail.c¢£” file: 
root@deep / chattr +i /etc/mail/sendmail.cf 


e Set the immutable bit on the “local-host-names’ file: 
root@deep / chattr +i /etc/mail/local-host-—names 


e Set the immutable bit on the “relay-domains’ file: 
root@deep / chattr +i /etc/mail/relay—domains 


e Set the immutable bit on the “aliases” file: 
root@deep / chattr +i /etc/mail/aliases 


e Set the immutable bit on the “access” file: 
root@deep / chattr +i /etc/mail/access 


e Set the immutable bit on the “virtusertable’ file: 
root@deep / chattr +i /etc/mail/virtusertable 


e Set the immutable bit on the “domaintable’ file: 
root@deep / chattr +i /etc/mail/domaintable 





e Set the immutable bit on the “mailertable’ file: 
root@deep / chattr +i /etc/mail/mailertable 
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Further documentation 
For more details about Sendmail program, there are several manual pages you can read: 


man mailstats 
man praliases 


S$ man aliases (5) - aliases file for Sendmail 

$ man makemap (8) - create database maps for Sendmail 

$ man sendmail (8) - an electronic mail transport agent 

$ man mailq (1) - print the mail queue 

$ man newaliases ) - rebuild the data base for the mail aliases file 
$ 

$ 


(1 
(8) - display mail statistics 
(8) - display system mail aliases 
Sendmail Administrative Tools 


The commands listed below are some that we use often, but many more exist. Check the manual 
page and documentation for more information. 


newaliases 

The purpose of the “newaliases” program utility of Sendmail is to rebuild and update the 
random access database for the mail aliases file /etc/mail/aliases. It must be run each 
time you change the contents of this file in order for the changes to take effect. 





e Toupdate the aliases file with the “newaliases” utility, use the following command: 
[root@deep /]# /usr/bin/newaliases 


makemap 

The purpose of the “makemap” program utility is to create the database-keyed maps in 
Sendmail. The “makemap” command must be used only when you need to create a new 
database for file like aliases, access, Of domaintable, mailertable, and 
virtusertable. 





e Torun makemap to create a new database for access, use the following command: 
[root@deep /]# makemap hash /etc/mail/access.db < /etc/mail/access 


Where <hash> is the database format, makemap can handle up to three different database 
formats; they may be “hash”, “bt ree” or “dom”. The </etc/mail/access.db> is the location 
and the name of the new database that will be created. The </etc/mail/access> is the 
location of the file from where makemap will read from the standard input file. In our example, we 
have created a new “access. db” file with the makemap command above. To create a database 
for other files like aliases, domaintable, mailertable, and virtusertable, you must 
indicate the location and name of the corresponding file in the “makemap” command. 








mailg 
The purpose of the “mailq” program utility is to print a summary of the mail messages queued 
for future delivery. 


e To print a summary of the mail messages queued, use the following command: 
[root@deep /]# mailq 
Mail queue is empty 


e To process all messages in the queue manualy, use the following command: 
[root@deep /]# sendmail -q 
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NOTE: If you want to have more useful information about the queued message, you can try a 
command like: 


[root@deep /]# sendmail -qIqueuid -v 


where you replace "queuia" by the actual identifier for a queued message. 





Sendmail Users Tools 


The commands listed below are some that we use often, but many more exist. Check the manual 
page and documentation for more information. 


mailstats 


The “mailstats” program utility is a statistics-printing program and its purpose is to display the 
current mail statistics. 


e To displays the current mail statistics, use the following command: 
[root@deep /]# mailstats 
Statistics from Wed Nov 29 09:00:29 2000 








M msgsfr bytes_from msgsto bytes_to msgsrej msgsdis Mailer 
3 L 1K 0 OK 0 0 local 
8 0 OK 1 1K 0 0 relay 
T 1 1K al 1K 0 0 
C. iL He 0 

praliases 


The “praliases” program utility is a program to print the DBM or NEWDB version of the aliases 
file and its purpose is to display one per line, in no particular order, the contents of the current 
system mail aliases. 





e To display the current system aliases, use the following command: 
[root@deep /]# praliases 
postmaster:root 
daemon: root 
root:admin 
@:@ 
mailer-daemon:postmaster 
bin:root 
nobody: root 
webadmin:admin 
www: root 
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List of installed Sendmail files on your system for Central Mail Hub 


> /etc/mail 

> /etc/mail/statistics 

> /etc/mail/sendmail.cf 

> /etc/mail/sendmail.mc 

> /etc/mail/access 

> /etc/mail/access.db 

> /etc/mail/aliases 

> /etc/mail/aliases.db 

> /etc/mail/virtusertable 

> /etc/mail/virtusertable.db 
> /etc/mail/domaintable 

> /etc/mail/domaintable.db 
> /etc/mail/mailertable 

> /etc/mail/mailertable.db 
> /etc/mail/local-host-names 
> /etc/sysconfig/Sendmail 
> /etc/smrsh 

> /usr/bin/newaliases 


> /ust/bin/mailq 

> /usr/bin/hoststat 

> /usr/bin/purgestat 

> /usr/lib/sendmail 

> /usr/sbin/sendmail 

> /usr/sbin/mailstats 

> /usr/sbin/smrsh 

> /usr/sbin/makemap 

> /usr/sbin/praliases 

> /usr/share/man/man{/mailq. 1 

> /ust/share/man/man1/newaliases.1 
> /usr/share/man/man65/aliases.5 

> /usr/share/man/man8/smrsh.8 

> /usr/share/man/man8/sendmail.8 
> /ust/share/man/man8/mailstats.8 
> /usr/share/man/man8/makemap.8 
> /ust/share/man/man8/praliases.8 
> /var/spool/mqueue 


List of installed Sendmail files on your system for local server or client 


> /etc/mail 

> /etc/mail/statistics 

> /etc/mail/local-host-names 
> /etc/smrsh 

> /usr/bin/mailq 

> /usr/bin/hoststat 

> /usr/bin/purgestat 

> /usr/lib/sendmail 


> /usr/sbin/sendmail 

> /usr/sbin/mailstats 

> /usr/sbin/smrsh 

> /usr/share/man/man1/mailq.1 

> /usr/share/man/man8/sendmail.8 
> /usr/share/man/man8/mailstats.8 
> /usr/share/man/man8/smrsh.8 

> /var/spool/mqueue 


List of installed s£io files on your system 


> /usr/include/sfio 
> /usr/include/sfio/sfio.h 


> /usr/include/sfio/ast_common.h 


> /usr/include/sfio/sfio_t.h 
> /usr/include/sfio/stdio.h 
> /usr/lib/libsfio.a 

> /usr/lib/libstdio.a 
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Linux qmail Mail Transfer Agent Server 


Abstract 

If you decide to use qmail successfully as a Mail Server, you must be aware of how it works. It is 
completely different to Sendmail, it has pretty much everything built into a single binary. The 
qmail system is built using the philosophy of having many small utilities that do one thing, and 
then combining these utilities to make something useful happen. gmail delivery takes place 
using a number of separate programs that communicate with each other in well defined ways. 


Finally and before going into qmail deeper, it's important to note that qmail runs through a 
program named tcpserver which functions in the same manner as Xinetd, but is supposed to 
be faster. Therefore, to install the base qmail features in your system, you'll have to play with at 
least two different packages related to it, which are named respectively ucspi-tcp and 
checkpassord. Personally, | think that there are too many add-ons to do with qmail to be able 
to run it. In the other hand, if we look for some surveys, we'll find that Hotmail with thirty million 
users has been using gmail for outgoing mail since 1997. (Reportedly, after Microsoft purchased 
Hotmail, it tried to move Hotmail to Microsoft Exchange under Windows NT. Exchange crashed.) 


According to the creators note: 

qmail is a secure, reliable, efficient, simple message transfer agent. It is meant as a 
replacement for the entire sendmail-—binmail system on typical Internet-connected UNIX 
hosts. Security isn't just a goal, but an absolute requirement. Mail delivery is critical for users; it 
cannot be turned off, so it must be completely secure. (This is why | started writing qmail: | was 
sick of the security holes in sendmail and other MTAs.). 


gmail supports host and user masquerading, full host hiding, virtual domains, null clients, list- 
owner rewriting, relay control, double-bounce recording, arbitrary RFC 822 address lists, cross- 
host mailing list loop detection, per-recipient checkpointing, downed host backoffs, independent 
message retry schedules, etc. In short, it's up to speed on modern MTA features. qmail also 
includes a drop-in “sendmail” wrapper so that it will be used transparently by your current UAs. 


As with the previous Sendmail set up, we'll show you two different configurations that you can 
use for gmail; one for a Central Mail Hub Relay, and another for a null client, which can be used 
for any server that doesn’t run as a Mail Hub Server. Contrary to the Sendmail null client 
configuration, you'll see here that with qmail configuring a null client is far more easier and 
doesn’t require you to play around with many different macros or files. 


Finally, I'd like to advise you that qmail is not supported by the majority of external mailing list 
applications or programs like mailman, logcheck, tripwire, etc. It can be very difficult to 
make it work with this kind of program and trying to find help on the qmail mailing list can also 
be very difficult, since support is not as you would expect it to be, like with Sendmail. A lot of 
serious questions are asked without any answers and only stupid question are answer by the 
mailing list users (I’m sorry but it is true). Therefore and before going into compilation and 
installation of this software | recommend you think about your decision. 


469 


qmail} 2 
CHAPTER |1 








Recommended RPM packages to be installed for a Mail Server 

A minimal configuration provides the basic set of packages required by the Linux operating 
system. A minimal configuration is a perfect starting point for building a secure operating system. 
Below is the list of all recommended RPM packages required to run your Linux server as a Mail 
Server (SMTP) running on gmail software properly. 


This configuration assumes that your kernel is a monolithic kernel. Also | suppose that you will 
install gmail by RPM package. Therefore, gmail RPM package is already included in the list 
below as you can see. All security tools are not installed, it is yours to install them as your need 
by RPM packages too since compilers packages are not installed and included in the list. 


basesystem 
e2fsprogs 
iptables 
openssh-server 
slang 


openssl 
slocate 


bdflush 
file 
less 

pam 
sysklogd 


bind 
filesystem 
libstdc++ 
passwd 
syslinux 


bzip2 
fileutils 
libtermcap 
popt 
SysVinit 


chkconfig 
findutils 
lilo 
procps 
tar 


console-tools 





470 





qmail} 2 
CHAPTER |1 








gawk 
logrotate 
psmisc 
termcap 


cpio 
gdbm 
losetup 
pwdb 
textutils 


cracklib 
gettext 
MAKEDEV 
qmail 
tmpwatch 


eracklib-dicts 
glib 

man 

quota 
utempter 


crontabs 
glibc 
mingetty 
readline 
util-linux 


db1 
glibc-common 
mktemp 
rootfiles 
vim-common 


db2 

grep 

mount 

rpm 
vim-minimal 


db3 

grofft 
ncurses 
sed 
vixie-cron 


dev 

gzip 
net-tools 
setup 
words 


devfsd 
info 
newt 
sh-utils 
which 


diffutils 
initscripts 
openssh 
shadow-utils 
zlib 


Tested and fully functional on OpenNA.com. 
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These installation instructions assume 

Commands are Unix-compatible. 

The source path is /var/tmp (note that other paths are possible, as personal discretion). 
Installations were tested on Red Hat 7.1. 

All steps in the installation will happen using the super-user account “root”. 

Whether kernel recompilation may be required: No 

Latest qmail version number is 1.03 

Latest ucspi-tcp version number is 0.88 

Latest checkpassword version number is 0. 90 


Packages 
The following is based on information as listed by qmail as of 2001/03/25. Please regularly 
check at www.qmail.org for the latest status. 


Source code is available from: 

qmail Homepage: http://www.gqmail.org/ 

qmail FTP Site: 131.193.178.181 

You must be sure to download: qmail-1.03.tar.gz 





ucspi-tcp Homepage: http://cr.yp.to/ucspi-tcp/install.html 
You must be sure to download: ucspi-tcp-0.88.tar.gz 


checkpassword Homepage: http://cr.yp.to/checkpwd/install.htm| 
You must be sure to download: checkpassword-0.90.tar.gz 


Prerequisites 

qmail requires that the listed software below be already installed on your system to be able to 
compile as a full Central Mail Hub Server successfully. If this is not the case, you must install 
them from the source archive files. Please make sure you have all of these programs installed on 
your box before you proceed with this chapter. If you’re intended to install gmail as a standalone 
null client Mail Server, you don’t need to install those programs. 


¥Y ucspi-tcp is needed by qmail and should be already installed on your system. 


¥ checkpassword is needed by gmail and should be already installed on your system. 


Verifying & installing all the prerequisites to run qmail 

As I’ve mentioned before, qmail use a modular design to build everything into a single binary. 
This means, for example, that its binary program, which is responsible for sending mail, is 
separate from its program that is responsible for receiving mails, and so on. In order to perform 
some other useful actions you need the utilities supplied in the ucspi-tcp and checkpassord 
packages. 


The ucspi-tcp package includes a high-speed inetd replacement for the SMTP server, and a 
generic tool to reject mail from RBL-listed sites. ucspi-tcp is required by qmail to be able to 
run its smtpd program on port 25, to receive mail via SMTP. Without this package, you cannot 
receive mail on the machine where qmail is installed, but just send mail. It’s also required by the 
gmail-popd3 and qmail-popup programs of qmail to be able to read your mail from an 
external computer. 
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The checkpassword program is also required by gmail if you need to run gmail—pop3d, 
which is already included in the gmail package and responsible to distribute mail via POP 
through qmail-popup, which reads a POP username and password. 


As you can see, with gmail you don't need to install external programs, like IMAP/POP, to be 
able to read mail from another computer. qmail includes its own secure programs, qmail- 
pop3d and qmail-popup, for this purpose. 


Therefore, what is the relation between qmail and checkpassword? checkpassword 
provides a simple, uniform password-checking interface to all root applications and it is suitable 
for use by applications such as pop3d. 


Compiling, Optimizing & Installing ucspi-tcp 

This section applies only if you chose to install and use qmail as a Central Mail Hub Server in 
your system. The ucspi-tcp package includes many small utilities to run with qmail. One of 
the most important, and the one we need here, is named tcpserver and works in the same way 
as Xinetd or inetd works, but the difference is that it’s really much faster. 


The tcpserver program accepts incoming TCP connections and waits for connections from 
TCP clients. Without it, you cannot access you pop3 account and read your mail on the qmail 
Mail Server. 


Step 1 

Once you get the program from the qmail website you must copy it to the /var/tmp directory of 
your Linux system and change to this location before expanding the archive. After that, move into 
the newly created ucspi-tcp directory and perform the following steps to compile and optimize 
it. 

root@deep /]# cp ucspi-tcp-version.tar.gz /var/tmp/ 

root@deep /]# cd /var/tmp/ 


root@deep tmp]# tar xzpf ucspi-tcp-version.tar.gz 


[ 
[ 
[ 
[root@deep tmp]# cd ucspi-tcp-0.88 


Step 2 
Now, it’s important to edit the conf—home file and change the default location where ucspi-tcp 
programs will be installed to fit our operating system environment. 
e =Edit the conf-home file (vi conf-home) and change the line: 
/usr/local 


To read: 


/usr 
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ie before going into the compilation of the program, we'll edit the conf-cc file and change 
the default compiler flags to fit our own CPU architecture for better performance. 
e Edit the conf-cc file (vi conf-cc) and change the line: 
gcc —O2 
To read: 


gcc -O03 -march=i686 -mcpu=i686 -funroll-loops -fomit-—frame-pointer 








WARNING: Please don’t forget to adjust the above optimization FLAGS to reflect your own system 
and CPU architecture. 





Step 4 

Now, we must make a list of files on the system before you install the software, and one 
afterwards, then compare them using the diff utility to find out what files are placed where and 
finally install ucspi-tcp in the system. 


root@deep ucspi-tcp-0.88]# make 

root@deep ucspi-tcp-0.88]# cd 

root@deep /root]# find /* > ucspitcpl 

root@deep /root]# cd /var/tmp/ucspi-tcp-0.88/ 

root@deep ucspi-tcp-0.88]# make setup check 

root@deep ucspi-tcp-0.88]# cd 

root@deep /root]# find /* > ucspitcp2 

root@deep /root]# diff ucspitcpl ucspitcp2 > Ucspitcp-Installed 














NOTE: Executing the find command under the /root directory is only needed to keep trace of 
what files the program will install into the system and where. It’s a good practice to keep log of 
installed files in the system in case of future upgrade or bug fixes. 





Compiling, Optimizing & Installing checkpassword 

This section applies only if you chose to install and use qmail as a Central Mail Hub Server in 
your system. As described on the qmail website, gnail-popup and gmail-pop3d are glued 
together by a program called checkpassword. It's run by qmail-popup, it reads the username 
and password handed to the PoP3 daemon, then looks them up in /etc/passwd, verifies them, 
switches to the username/home directory, and then it runs pop3d. 


Step 1 

Once you get the program from the qmail website you must copy it to the /var/tmp directory of 
your Linux system and change to this location before expanding the archive. After that, move into 
the newly created checkpassword directory and perform the following steps to compile and 
optimize it. 


[root@deep /]# cp checkpassword-version.tar.gz /var/tmp/ 
[root@deep /]# cd /var/tmp/ 

[root@deep tmp]# tar xzpf checkpassword-version.tar.gz 
[root@deep tmp]# cd checkpassword-0.90 
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ae going into compilation of the program, we'll edit the conf-cc file and change the default 
compiler flags to fit our own CPU architecture for better performance. 
e Edit the conf-cc file (vi conf-cc) and change the line: 
ce -02 
To read: 


gcc -O03 -march=i686 -mcpu=i686 -funroll-loops -fomit-—frame-pointer 








WARNING: Please don’t forget to adjust the above optimization FLAGS to reflect your own system 
and CPU architecture. 





Step 3 

Now, we must make a list of files on the system before you install the software, and one 
afterwards, then compare them using the diff utility to find out what files are placed where and 
finally install checkpassword in the system. 


root@deep checkpassword-0.90]# make 

root@deep checkpassword-0.90]# ed 

root@deep /root]# find /* > checkpass1 

root@deep /root]# cd /var/tmp/checkpassword-0.90/ 

root@deep checkpassword-0.90]# make setup check 

root@deep checkpassword-0.90]# ed 

root@deep /root]# find /* > checkpass2 

root@deep /root]# diff checkpassl1 checkpass2 > CheckPass—Installed 








Pristine source 

If you don’t use the RPM package to install this program, it will be difficult for you to locate all 
installed files into the system in the eventuality of an updated in the future. To solve the problem, 
it is a good idea to make a list of files on the system before you install qmail, and one 
afterwards, and then compare them using the diff utility of Linux to find out what files are 
placed where. 


e Simply run the following command before installing the software: 
root@deep /root find /* > qmaill 


e And the following one after you install the software: 
root@deep /root find /* > qmail2 


e Then use the following command to get a list of what changed: 
root@deep /root diff qmaill qmail2 > Qmail-Installed 

















With this procedure, if any upgrade appears, all you have to do is to read the generated list of 
what files were added or changed by the program and remove them manually from your system 
before installing the new software. Related to our example above, we use the /root directory of 
the system to stock all generated list files. 
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Compiling, Optimizing & Installing qmail 

Now you are ready to go to the installation steps of the gmail program. Below are the required 
steps that you must make to compile the qmail software before installing it into your Linux 
system. 


As you'll see later, gmail has no pre-compilation configuration like Sendmail, which required a 
big decision list of what to compile in the software. Instead qmail automatically adapts itself to 
your UNIX variant and allows a quick installation. On the other hand, due to its quick installation 
feature, it doesn’t let us install different parts of the software where we want them to go and this is 
why we must do a bit of tweaking to make it fit our system environment. 


Step 1 
Once you get the program from the main software site you must copy it to the /var/tmp 
directory and change to this location before expanding the archive. 


e These procedures can be accomplished with the following commands: 
[root@deep /]# cp qmail-version.tar.gz /var/tmp/ 
[root@deep /]# cd /var/tmp/ 

[root@deep tmp]# tar xzpf qmail-version.tar.gz 


Step 2 
In order to check that the version of qmail, which you are going to install, is an original and 
unmodified one, use the commands described below and check the supplied signature. 


e §=6To verify the MD5 checksum of qmail, use the following command: 
[root@deep tmp]# md5sum qmail-version.tar.gz 


This should yield an output similar to this: 
622f65Ff982e380dbe86e6574F3abch7c gqmail-1.03.tar.gz 


Now check that this checksum is exactly the same as the one published on the qmail website at 
the following URL: http://cr.yp.to/qmail/dist.htm! 


Step 3 
After that, move into the newly created gmail directory and create the gmail home directory 
manually. The gmail home directory is where everything related to qmail software are handle. 


e To move into the newly created qmail archive directory, use the following command: 
[root@deep tmp]# cd qmail-1.03/ 


e Tocreate the qmail home directory, use the following command: 
[root@deep qmail-1.03]# mkdir /var/qmail 
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Step 4 

Once the qmail home directory has been created, we must set up the gmail groups and the 
qmail users accounts before compiling the program. It’s important to note that no qmail users 
or groups have a shell account on the system; this is an important security point to consider. 


During the creation of all the required gmail accounts as shown below, we'll redirect all qmail 
users and groups account to a /bin/ false shell. Once again this is an important security 
measure to take. 





e Tocreate all the required qmail users and groups, use the following commands: 

root@deep qmail-1.03 groupadd -f -g81 nofiles 

root@deep qmail-1.03 groupadd -f -g82 qmail 

root@deep qmail-1.03 useradd -g nofiles -d /var/qmail/alias -u 82 -s 
/bin/false alias 2>/dev/null || 

root@deep qmail-1.03 useradd -g nofiles -d /var/qmail -u 81 -s 
/bin/false qmaild 2>/dev/null || 

root@deep qmail-1.03 useradd -g nofiles -d /var/qmail -u 86 -s 
/bin/false qmaill 2>/dev/null || 

root@deep gqmail-1.03 useradd -g nofiles -d /var/qmail -u 87 -s 
/bin/false qmailp 2>/dev/null || 

root@deep qmail-1.03 useradd -g qmail -d /var/qmail -u 83 -s 
/bin/false qmailq 2>/dev/null || 

root@deep qmail-1.03 useradd -g qmail -d /var/qmail -u 84 -s 
/bin/false qmailr 2>/dev/null || 

root@deep qmail-1.03 useradd -g qmail -d /var/qmail -u 85 -s 




















/bin/false qmails 2>/dev/null || 
The above commands will create all the required qmail groups and users accounts necessary 


for the program to run properly and in a secure manner. 


Step 5 
Before going into the compilation of the program, we'll edit the conf-cc file and change the 
default compiler flags to fit our own CPU architecture for better performance. 
e Edit the conf-cc file (vi conf-cc) and change the line: 
cc -O2 


To read: 


gcc -O03 -march=i686 -mcpu=i686 -funroll-loops -fomit-—frame-pointer 








WARNING: Please don’t forget to adjust the above optimization FLAGS to reflect your own system 
and CPU architecture. 
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Step 6 

Now, we must make a list of files on the system before installing the software, and one 
afterwards, then compare them using the diff utility to find out what files are placed where and 
finally compile the programs and create the qmail directory tree in the server. 





























root@deep gqmail-1.03 cd 

root@deep /root]# find /* > qmaill 

root@deep /root]# ed /var/tmp/qmail-1.03/ 

root@deep qmail-1.03 make setup check 

root@deep gqmail-1.03 strip /var/qmail/bin/* 

root@deep qmail-1.03 ln -s /var/qmail/bin/sendmail /usr/1lib/sendmail 
root@deep gqmail-1.03 ln -s /var/qmail/bin/sendmail /usr/sbin/sendmail 
root@deep qmail-1.03 mv -£ /var/qmail/bin/maildir2mbox /usr/bin 
root@deep qmail-1.03 mv -f£ /var/qmail/bin/maildirmake /usr/bin 
root@deep qmail-1.03 mv -£ /var/qmail/bin/maildirwatch /usr/bin 
root@deep gqmail-1.03 mv -f£ /var/qmail/bin/qmail-qread /usr/bin 
root@deep gqmail-1.03 mv -f£f /var/qmail/bin/qmail-qstat /usr/bin 
root@deep qmail-1.03 chmod 444 /var/qmail/man/man1/* 

root@deep qmail-1.03 chmod 444 /var/qmail/man/man5/* 

root@deep qmail-1.03 chmod 444 /var/qmail/man/man7/* 

root@deep gqmail-1.03 chmod 444 /var/qmail/man/man8/* 

root@deep gqmail-1.03 mv -f£f /var/qmail/man/manl1/* /usr/share/man/manl1 
root@deep gqmail-1.03 mv -f£ /var/qmail/man/man5/* /usr/share/man/man5 
root@deep gqmail-1.03 mv -f£ /var/qmail/man/man7/* /usr/share/man/man7 
root@deep gqmail-1.03 mv -f£ /var/qmail/man/man8/* /usr/share/man/man8 
root@deep qmail-1.03 rm -rf /var/qmail/man/ 

root@deep qmail-1.03 rm -rf /var/qmail/doc/ 

root@deep qmail-1.03 maildirmake /etc/skel/Maildir 

root@deep qmail-1.03 cd 

root@deep /root]# find /* > qmail2 

root@deep /root]# diff qmaill qmail2 > qmail-Installed 


The first two 1s -s commands are used to make qmail's “sendmail” wrapper available to 
MUAs. This is important to stay compatible with an external program you may install in the future. 
Many programs assume by default that you have Sendmail installed in your system. Therefore 
to eliminate possible problems and compatibility issues, we'll create symbolic links from qmail to 
Sendmail. To summarize we’ll make a link under /usr/1lib and /usr/sbin where sendmail 
binary usually lives to the qmail program. This way any program that look for Sendmail in 
these directories will be automatically redirected to the qmail program for execution. 


The mv -£ commands are used to put all manual pages related to gmail under our default 
manual pages directories for Linux. Once all the qmail manual pages have been placed under 
/usr/share/man directories, we remove the old /var/qmail/man directories which are not 
needed now. 


The rm -£ command is also used to remove the /var/qmail/doc how-to pages directory, 
where all the documentation related to qmail lives after a successful installation of the program. 
These documentation files are the same as the ones you have surely read during the installation 
of qmail. If this is the case, you can remove them to make space and clean up the qmail 
directory. 


The maildirmake command is used to created a skeleton of maildir for incoming mail under the 
/etc/skel directory which is used by Linux during creation of new users account on the system. 
By creating a Maildir directory under this location (/etc/ske1), we solve the problem of 
creating manually a new maildir directory under each new added user in the system (see further 
down in this chapter for more information about the Maildir feature of qmail). 
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Step 7 

You MUST tell qmail your hostname. To do it, use the config script of gmail, which looks up 
your host name in DNS. This config script will also look up your local IP addresses in DNS to 
decide which hosts to it should accept mail for. 


[root@deep /root]# ed /var/tmp/qmail-1.03/ 

[root@deep qmail-1.03]# ./config 

Your hostname is boreas 

Your host's fully qualified name in DNS is boreas.openna.com. 
Putting boreas.openna.com into control/me... 

Putting openna.com into control/defaultdomain... 

Putting openna.com into control/plusdomain... 


Checking local IP addresses: 
127.0.0.1: Adding localhost to control/locals... 
207.35.78.4: Adding boreas.openna.com to control/locals... 


If there are any other domain names that point to you, 
you will have to add them to /var/qmail/control/locals. 
You don't have to worry about aliases, i.e., domains with CNAME records. 


Tr 


Copying /var/qmail/control/locals to /var/qmail/control/rcpthosts... 
Now qmail will refuse to accept SMTP messages except to those hosts. 
Make sure to change rcepthosts if you add hosts to locals or 
virtualdomains! 











NOTE: If you receive an error message like: 

Your hostname is boreas. 

hard error 

Sorry, I couldn't find your host's canonical name in DNS. 
You will have to set up control/me yourself. 


You'll have to run the config-fast script located in the same source directory as follow: 
./config-fast boreas.openna.com 


Here | assume that your domain is openna.com and the hostname of your computer is boreas. 





Step 8 

Now it’s time to add the minimum required aliases for qmail to run properly on your system. 
You should set up at least aliases for Postmaster, Mailer-Daemon, and root. For security 
reasosn the super-user ‘root’ never receives mail with qmail. Because many programs on our 
server need to send system messages to ‘root’, we can create an alias to another user locally or 
remotely. Finally an important note is the fact that qmail uses files for every alias. This is one of 
the major ways that gmail differs from sendmail. Therefore don’t forget to create an “. qmail” 
aliases file for every users on the system. 


[root@deep qmail-1.03]# cd ~alias 

[root@deep alias]# touch .qmail-postmaster 
[root@deep alias]# touch .qmail-mailer-—daemon 
[root@deep alias]# touch .qmail-root 
[root@deep alias]# chmod 644 ~alias/.qmail-* 


e To create an alias for the super-user ‘root’ use command like: 
[root@deep alias]# echo noc@openna.com > .qmail-root 
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Here | instruct qmail to send all message intended to the super-user ‘root’ to a remote non- 
privileged user account named noc at openna.com. You can also instruct qmail to send all 
message reserved for ‘root’ to a local user by specifying just the name of an existing local user 
like ‘gmourani’. Finally, this method is applicable for any other aliases files with qmail and | 
recommend you, at the minimum, create an alias for the users ‘postmaster’ and ‘mailer- 
daemon’ too. In this way all possible messages intended for these users will be forwarded to the 
alias user. 


e Tocreate an alias for users ‘postmaster’ and ‘mailer-daemon’ use commands like: 
[root@deep alias]# echo noc@openna.com > .qmail-postmaster 
[root@deep alias]# echo noc@openna.com > .qmail-—mailer-—daemon 








NOTE: qmail doesn't have any built-in support for Sendmail /etc/aliases. If you have a big 
/etc/aliases and you'd like to keep it, install the fast forward package, which is available 
separately from the qmail website. This package “fast forward” is faster and more secure 
than the default Sendmail aliases feature. As a security precaution, qmail refuses to deliver 
mail to users who don't own their home directory. In fact, such users aren't even considered users 
by qmail. As a result, if "postmaster" doesn't own ~postmaster, then postmaster isn't a user, and 
postmaster@openna.com isn't a valid mailbox. 





Step 9 

The qmail package, once installed on your system, includes a local delivery agent, called 
‘qmail-local’, which provides user-controlled mailing lists, cross-host alias loop detection, and 
many other important qmail features like the qmail crashproof Maildir directory for your 
incoming mail messages. This qmail program (qmail-local) is intended to replace binmail 
which is the default Unix /bin/mail program used under Linux to delivers mail locally into a 
central spool directory called /var/spool/mail. 





There's one important difference between qmail-local and binmail: qmail-locai delivers 
mail by default into ~user/Mailbox or ~user/Maildir, rather than 
/var/spool/mail/user. What does this imply? 





As explained in the documentation of qmail, there are two basic problems with 
/var/spool/mail: 











Vv It's slow. On systems with thousands of users, /var/spool/mail has thousands of 
entries. A few UNIX systems support fast operations on large directories, but most don't. 


v It's insecure. Writing code that works safely in a world-writable directory is not easy. See, 
for example, CERT advisory 95:02. 


For these reasons and to tighten the security of our configured system, as well as to optimize the 
gmail Mail Server to perform at its peak, we'll change and configure mail software to look at the 
qmail ~user/Maildir directly. Maildir is a feature of qmail to replace the old well known 
Unix Mailbox directory that is less reliable then Maildir. 





Usually, you can create this new Maildir directory manually for all existing users in the system, 
but it is recommended to automate the task for future users by setting up Maildir as the default 
for everybody, by creating a maildir in the new-user template directory (/etc/ske1). Below, we 
show you both methods: 
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For all existing users in your system: 


e Tocreate a new Maildir for all existing users in the system, use the commands: 
[root@deep /]# maildirmake $HOME/Maildir 
[root@deep /]# echo ./Maildir/ > ~/.qmail 


Where <$HOMEsS is the username directory where you want to create this new qmail Maildir 
directory for all incoming mail messages. The echo command is required only if you want to 
create an alias file for this user (see your gmail documentation for more information about users 
alias file). 








WARNING: The <echo ./Maildir/ > ~/.qmail> command is not required for the super-user 
‘root’ since we have already create its alias file under /var/qmail/alias directory previously 
during the installation of gmail. 





For all future users in your system: 


e Create the qmail.csh file (touch /etc/profile.d/qmail.csh) and add the lines: 


setenv MAIL SHOME/Maildir/ 
setenv MAILDIR SMAIL 











e Create the qmail.sh file (touch /etc/profile.d/qmail.sh) and add the lines: 


export MAILDIR=SHOME/Maildir/ 
export MAITLDROP=SHOME/Maildir/ 











e Once the qmail.csh and the qmail. sh files have been created, we must be sure that 
their default modes are (0755/-rwxr-xr-x) and owned by the super-user ‘root’: 


[root@deep /]# chmod 755 /etc/profile.d/qmail.csh 
[root@deep /]# chmod 755 /etc/profile.d/qmail.sh 
[root@deep /]# chown 0.0 /etc/profile.d/qmail.csh 
[root@deep /]# chown 0.0 /etc/profile.d/qmail.sh 








WARNING: If you use a special mail software like procmail, elm, pine, Of qpopper, you must 
read the documentation that comes with qmail to know how to configure them to look at 
~user/Mailbox or ~user/Maildir directly. We assume gmail-local as the default new 
mail software local delivery agent in this example because it’s enough for the job. 


Since we have configured qmail to Use gmail-locai for local deliveries, it’s important to note 
that your mailbox will be moved to ~you/Mailbox or ~you/Maildir if you have decided to 
switch to the new Maildir feature of qmail. 
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Step 10 

One last step to do with the new Maildir feature of qmail is to set up it as the default delivery 
by creating a file named dot-qmail under /etc directory. The qmail script initialization file 
reads this file each time you restart the mail server. 


e Create the dot-qmail file (touch /etc/dot-qmail) and add the lines: 


./Maildir/ 
|qbiff 


Step 11 

Since we have decided to use, and to give to, the local delivery agent of gmail (qmail-local) 
the task of delivering mail locally, we can remove the default Unix mailx package from our 
system and the /var/mail and /var/spool/mail directories too. 





e To remove mailx from your system, use the following command: 
[root@deep /]# rpm -e mailx 


e Toremove /var/mail and /var/spool/mail from your system, use the commands: 
[root@deep /]# rm -rf /var/mail 
[root@deep /]# rm -rf /var/spool/mail 





Also, we can remove procmai1 if this is not already done since qmail doesn’t need it to 
function properly. 


e To remove procmail from your system, use the following command: 
[root@deep /]# rpm -e procmail 








WARNING: If you have scripts that use /bin/mail to send out status reports without using 
specific command line interface of mailx, you can just create a link after uninstall of mailx 
package to /var/qmail/bin/gmail-inject and don’t worry about incompatibility. In other 
case, you must retain the mailx package on your system. To create a link to gmail-inject 
program use: 





In -s /var/qmail/bin/qmail-inject /bin/mail 





Step 13 

Once the compilation, optimization, and installation of the Mail Server has finished, we can free 
up some disk space by deleting the program tar archives and the related source directories since 
they are no longer needed. 


e To delete the programs and its related source directories, use the following commands: 
[root@deep /]# cd /var/tmp/ 
[root@deep tmp]# rm -rf qmail-version/ 
[root@deep tmp]# rm -f qmail-version.tar.gz 
[root@deep tmp]# rm -rf ucspi-tcp-version/ 
[root@deep tmp]# rm -f ucspi-tcp-version.tar.gz 
[root@deep tmp]# rm -rf checkpassword-version/ 
[root@deep tmp]# rm -f checkpassword-version.tar.gz 
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The rm commands as used above will remove the source files we have used to compile and 
install qmail, ucspi-tcp and checkpassword. It will also remove the qmail, ucspi-tcp and 
checkpassword compressed archives from the /var/tmp directory. 


Configuring qmail 

After gmail has been built and installed successfully in your system, your next step is to create, 
configure and customize all the options and parameters in your different qmail configuration files 
(if necessary). Depending of the kind of Mail Server you want to run, there are different 
configuration files to set up, these files are: 


For running gmail as a Central Mail Hub Server: 


¥  /var/qmail/control/me (The qmail hostname Files) 

¥  /var/qmail/control/locals (The qmail local File) 

¥ /var/qmail/control/rcpthosts (The qmail rcpthost File) 

¥ /etc/tcp.smtp (The gmail tcp.smtp File) 

¥ /etc/qmagp.tcp (The gmail qmagp.tcp File) 

¥ /var/gqmail/control/defaultdomain (The qmail defaultdomain File) 
¥ /var/qmail/control/plusdomain (The qmail plusdomain File) 

¥ /etc/re.d/init.d/qmail (The qmail Mail Hub Initialization File) 














For running gmail as a Standalone Mail Server: 


¥ /var/qmail/control/me (The gmail hostname Files) 

¥  /var/qmail/control/locals (The qmail local File) 

¥ /var/qmail/control/rcpthosts (The gmail rcpthost File) 

¥ /var/qmail/control/defaultdomain (The qmail defaultdomain File) 
¥ /var/qmail/control/plusdomain (The qmail plusdomain File) 

¥ /etc/re.d/init.d/qmail (The qmail null client Initialization File) 








/var/qmail/control/me: The qmail Hostname Configuration File 

All files under /var/qmail/control directory are configuration files for the gmail system. 
gmail can run with just one control file named 'me' which contains the fully-qualified name of the 
current host. This file 'me' is used as the default for other hostname-related control files. Usually 
you don't have to change this file 'me' since it’s already contains your fully qualified domain name 
for gmail to work, otherwise if it doesn’t exist, create it and add your fully qualified domain name 
(my .domain.com) inside it. 


/var/qmail/control/locals: The qmail locals Configuration File 

The qmail configuration file Locals can be used to handle a list of domain names that the 
current host receives mail for, one per line. qmail will know through the content of this file which 
addresses it should deliver locally. 


This file becomes important when you configure qmail as a Central Mail Hub Server. If you want 
to configure your qmail software to run as a standalone Mail Server, you will need to remove the 
default value in this file, which is “localhost”. See later in this chapter for more information 
about running qmail as a standalone Mail Server. 
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e Edit the locals file (vi /var/qmail/control/locals) and add: 


localhost 
boreas.openna.com 
boreas.customer.com 


Where <boreas.openna.com> in this example is our Mail Hub Server, and 
<boreas.customer.com> is one of our customer for which we decide to receive and send mail 
on the Mail Hub server. Note that the hostname is always ‘boreas’ since this is the hostname 
where our Central Mail Hub Server lives. 


/var/qmail/control/rcpthosts: The qmail rcpthosts File 

This file ‘rcpthosts’ specifies which domains are allowed to use the gmail Mail Server. Ifa 
domain is not listed in rcpthosts, then qgmail-smtpd will reject any envelope recipient 
address. To summarize, qmail will know through the content of this file which messages it 
should accept from remote systems. 


By default with qmail, relaying is turned off and you must populate the rcpthosts file with the 
fully qualified domain of authorized hosts. As for Sendmail local-host-names file, one use 
for such a file might be to declare a list of hosts in your network for which the local host is acting 
as the Mx recipient. 


If you want to configure your qmail software to run as a standalone Mail Server, you don’t need 
to change the default values in this file, which are again your FQDN “boreas.openna.com’” and 
“localhost”. See later in this chapter for more information about running qmail asa 
standalone Mail. 


e §6Edit the repthosts file (vi /var/qmail/control/rcpthosts) and add: 


localhost 
openna.com 
customer.com 


Where <openna.com> represents in this example our Mail Hub Server. The <customer. com> 
parameter means to allow every hostnames under the domain <customer.com> to use the Mail 
Hub Server (boreas.openna.com) to send and receive mail. 


/etc/tcp.smtp: The qmail tcp.smtp File 

This section applies only if you chose to install and use qmail as a Central Mail Hub Server in 
your system. This file ‘tcp .smtp’ allow selected clients to send outgoing messages through the 
gmail SMTP server. Without it, only the localhost where qmail is running will be able to send 
outgoing messages. If you want to configure your qmail software to run as a standalone Mail 
Server, you don’t need to create and have this file. 
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Step 1 

As we now know, relaying is disabled by default with our configuration and to allow relaying from 
selected and authorized users, we will have to create a file named tcp. smtp under the /etc 
directory. This file will contain only the IP addresses for which we want to authorize relaying. 


e Create the tep.smtp file (touch /etc/tcp.smtp) and add for example: 





207.35.78.3:allow, RELAYCLIENT="" 
192.168.1.:allow, RELAYCLIENT="" 























Where <207.35.78.3> and <192.168.1.> means to allow IP address client 207.35.78.3 and 
all hostnames under the private IP addresses range 192.168.1. to use qmail Mail Hub Server to 
relay mail. 


Step 2 
Now we must run the tcprules utility of gmail, which compiles rules for tcpserver and 
creates the appropriate database file related to information in the tcp. smtp file. 


e Tocreate the tcp.smtp database file, use the following command: 
[root@deep /]# teprules /etc/tcp.smtp.cdb /etc/tcp.smtp.tmp < 
/etc/tcp.smtp 
[root@deep /]# chmod 644 /etc/tcp.smtp* 








NOTE: If you make any changes to /etc/tcp.smtp file, you must run the above tcprules 
command again. 





/etc/qmqp.tcp: The qmail gqmaqp.tcp File 

This section applies only if you chose to install and use qmail as a Central Mail Hub Server in 
your system. This file ‘qmqp.tcp’ allow fast queuing of outgoing mail from authorized client hosts 
through oMoP that provides a centralized mail queue within a cluster of hosts. 


One central server runs a message transfer agent. The other hosts (Standalone Mail Server) do 
not have their own mail queues (see later in this chapter the section 'Running qmail as an 
extremely secure standalone client (mini-qmail)'); they give each new message to the central 
server through QOmopP. If you want to configure your qmail software to run as a standalone Mail 
Server, you don’t need to create or have this file. 


Step 1 


The first step is to create the gmqp.tcp file in tcprules format to allow queuing from the 
authorized hosts. This file will contain any IP addresses for which we want to authorize queuing. 


e Create the qmqp.tep file (touch /etc/qmaqp.tcp) and add: 


207.35.78.:allow 
:deny 


Where <207.35.78.:allow> means to allow all hostnames under the IP address range 


207.35.78. to use gmail Mail Hub Server for queuing. The <: deny> parameter makes sure to 
deny connections from unauthorized hosts. 
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Step 2 
Now we must run the tcprules utility of gmail to convert /etc/qmgp.tcp to 
/etc/qmaqp.cdb format. 


e Tocreate the gmqp.cdb format, use the following command: 
[root@deep /]# teprules /etc/qmgqp.cdb /etc/qmgp.tmp < /etc/qmagp.tcp 
[root@deep /]# chmod 644 /etc/qmap.* 








NOTE: If you make any changes to the /etc/qmagp.tcp file, you must run the above tcprules 
command again. 





Step 3 
After that, edit the /etc/services file and add an entry for qmail-qmaqpd on port 628. This 
port number doesn’t exist for qmail and we must add it to the list. 


e Edit the services file (vi /etc/services), and add the line: 


qmail-—qmqpd 628/tcp QMOP: Quick Mail Queueing Protocol 


Step 4 
Finally, it’s important to allow traffic through port 628 into our firewall script file for the qmail- 
qmaqpd daemon to work properly in the system. 


e Edit the iptables script file (vi /etc/rc.d/init.d/iptables), and add/check the 
following lines to allow qgmail-—gqmapd packets to traverse the network: 


# QMOQP server (628) 
# 











iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p tcp \ 
-s $IPADDR --source-port SUNPRIVPORTS \ 






























































-d SPRIVATENET --destination-port 628 -— 3 ACCEPT 
iptables -A INPUT -i SEXTERNAL_INTERFACE -p tcp ! --syn \ 

-s SPRIVATENET --source-port 628 \ 

-d SIPADDR -—-destination-port SUNPRIVPORTS -—j ACCEPT 






































Where EXTERNAL_INTERFACE="eth0" # Internet connected interface 
Where IPADDR="207.35.78.4" # Your IP address for ethO 
Where PRIVATENET="207.35.78.0/32" # IP ranges assigned by your ISP 
Where UNPRIVPORTS="1024: 65535" # Unprivileged port range 











WARNING: Note that OMopP is not a public service. Servers should not accept QMOP connections 
from unauthorized IP addresses. 
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/var/qmail/control/defaultdomain: The qmail defaultdomain File 
The defaultdomain file is used by qmail to add the domain name listed in the file 
(defaultdomain) to any host name without dots. Usually you don't have to change the default 
information (i.e. openna. com) listed in this file (defaultdomain). 


/var/qmail/control/plusdomain: The qmail plusdomain File 

The plusdomain file is used by qmail to add the domain name listed in the file (pb lusdomain) 
to any host name that ends with a plus sign. Usually you don't have to change the default 
information (i.e. openna.com) listed in this file (p lusdomain). 


/etc/re.d/init.d/qmail: The qmail Initialization for File Mail Hub 

This section applies only if you chose to install and use qmail as a Central Mail Hub Server in 
your system. The /etc/rc.d/init.d/gmail script file is responsible to automatically start and 
stop all the required gmail daemons on your server. 


Step 1 

Create the qmail script file (touch /etc/rc.d/init.d/qmail) and add the following lines: 
! /bin/sh 
qmail This starts and stops qmail. 


chkconfig: 2345 80 30 

description: qmail is a small, fast, secure replacement \ 
for the sendmail package, which is the \ 
program that actually receives, routes, \ 
and delivers electronic mail. \ 











config: /etc/sysconfig/network 
PATH=/sbin:/bin:/usr/bin:/usr/sbin 


Source function library. 
/etc/init.d/functions 


Get config. 
test -f /etc/sysconfig/network && . /etc/sysconfig/network 


Check that networking is up. 











S{NETWORKING} = "yes" ] || exit 0 

-f /var/qmail/bin/qmail-send ] || exit 1 
RETVAL=0 
start (){ 





echo -n "Starting qmail: " 
xec env PATH="/var/qmail/bin:SPATH" \ 
qmail-start "cat /etc/dot-qmail*" splogger qmail & 
tcpserver -p -v -c 400 -x /etc/tcp.smtp.cdb -u 81 -g 81 0 smtp \ 
rblsmtpd -rrelays.orbs.org -rrbl.maps.vix.com \ 
/var/qmail/bin/qmail-smtpd 2>81 | \ 
/var/qmail/bin/splogger smtpd 3 & 
tcpserver 0 110 /var/qmail/bin/qmail-popup \ 
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“hostname” /bin/checkpassword \ 
/var/qmail/bin/qmail-pop3d Maildir & 
tcpserver -x /etc/qmgqp.cdb -u 81 -g 81 0 628 qmail-qmqpd & 


RETVAL=$? 

echo 

touch /var/lock/subsys/qmail 
return SRETVAL 








stop () { 


# S 


echo -n "Stopping qmail: " 
killproc qmail-send 

killproc tcpserver 

RETVAL=$? 

echo 

rm -f /var/lock/subsys/qmail 
return SRETVAL 








how we were called. 





case 


ot in 
start) 
start 
a 
stop) 
stop 
a 
status) 
status qmail-send 
tr 
restart) 
restart 
i? 
reload) 
reload 
a 
*) 


echo "Usage: qmail {start|stop|status|restart|reload}" 


RETVAL=1 





SRETVAL 
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WARNING: Many security and optimization features of gmail need to be added to the initialization 
script file with the tcpserver. For this reason | decided to explain each one here to simplify 
interpretation. 


Adding the lines "2>s1 | /var/qmail/bin/splogger smtpd 3 «" atthe end ofthe" 
tcpserver -v -c 400 -x /etc/tcp.smtp.cdb -u 81 -g 81 0 smtp 
/var/qmail/bin/qmail-smtpa" line in the initialization script of gmail will keep track of 
who's connecting and for how long. 


By default, tcpserver allows at most 40 simultaneous qmail-smtpd processes. To raise this 
limit, we add the command "-c 400" to the above script file to set it to 400 simultaneous 
processes. 


Adding the —p option to your startup script file will reject SMTP connections at the network level 
from hosts with bad DNS. This is one way to cut down on e-mail from hosts that have 
misconfigured their DNS, and therefore are thought by some to be more likely to be spam- 
friendly. 


In the ucspi-tcp package there is a program named 'rb1smtpd' that can be used with qmail 
SMTP daemon to reject known spammers. Adding a parameter like 'rblsmtpd — 
rrelays.orbs.org -rrbl.maps.vix.com' to your startup script file will use the ORBS 
database in addition to the RBL to reject know spammers. Note that ORBS and RBL are 'Real- 
time Third-Party Blocking Solutions’ see at http://www.orbs.org/ and 
http://rolcheck.sourceforge.net/ for more information. 





Step 2 

Once the qmail script file has been created, it is important to make it executable, change its 
default permissions, create the necessary links and start it. Making this file executable will allow 
the system to run it, changing its default permission is to allow only the root user to change this 
file for security reasons, and creation of the symbolic links will let the process control initialization 
of Linux, which is in charge of starting all the normal and authorized processes that need to run at 
boot time on your system, to start the program automatically for you at each boot. 


e To make this script executable and to change its default permissions, use the commands: 
root@deep / chmod 700 /etc/rce.d/init.d/qmail 
root@deep / chown 0.0 /etc/rc.d/init .d/qmail 


e Tocreate the symbolic rc.d links for qmail, use the following commands: 
root@deep / chkconfig --add qmail 
root@deep / chkconfig --level 2345 qmail on 


e To start qmail software manually, use the following commana: 
root@deep / /etc/re.d/init.d/qmail start 
Starting qmail: [OK] 
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/etc/re.d/init.d/qmail: The gmail Initialization File for null client 

This section applies only if you chose to install and use qmail as a Standalone Mail Server (null 
client) in your system. The /etc/rc.d/init.d/qmail script file is responsible to automatically 
start and stop all the qmail daemons on your server. 








replacement \ 
which is the \ 
routes, \ 


Step 1 
Create the qmail script file (touch /etc/rc.d/init.d/qmail) and add the following lines: 
! /bin/sh 
qmail This starts and stops qmail. 
chkconfig: 2345 80 30 
description: qmail is a small, fast, secur 
for the sendmail package, 
program that actually receives, 
and delivers electronic mail. \ 
config: /etc/sysconfig/network 


Source function library. 
/etc/init.d/functions 


Get config. 
test -f /etc/sysconfig/network && 


Check that networking is up. 
S{NETWORKING} = "yes" ] || 











-f /var/qmail/bin/qmail-send ] 


RETVAL=0 





a 


tart () { 
echo -n "Starting qmail: " 
xec env 








PATH=/sbin:/bin:/usr/bin:/usr/sbin 


exit 0 


/etc/sysconfig/network 


exit 1 


PATH="/var/qmail/bin:SPATH" \ 


qmail-start "cat /etc/dot-qmail*" splogger qmail & 


RETVAL=$? 

echo 

touch /var/lock/subsys/qmail 
return SRETVAL 








} 


stop () { 
echo -n "Stopping gmail: " 
killproc qmail-send 
RETVAL=$? 
echo 
rm -f /var/lock/subsys/qmail 
return SRETVAL 








} 


restart () { 
stop 
start 


how we were called. 
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case "S1" in 
start) 
start 
stop) 
stop 
i? 
status) 
status qmail-send 
restart) 
restart 
reload) 
reload 
‘) t a 
echo "Usage: qmail {start|stop|status|restart|reload}" 
RETVAL=1 





exit SRETVAL 





Step 2 

Once the qmail script file has been created, it is important to make it executable, change its 
default permissions, create the necessary links and start it. Making this file executable will allow 
the system to run it, changing its default permission is to allow only the root user to change this 
file for security reasons, and creation of the symbolic links will let the process control initialization 
of Linux, which is in charge of starting all the normal and authorized processes that need to run at 
boot time on your system, to start the program automatically for you at each boot. 


e To make this script executable and to change its default permissions, use the commands: 
root@deep / chmod 700 /etc/rce.d/init .d/qmail 
root@deep / chown 0.0 /etc/rce.d/init .d/qmail 


e Tocreate the symbolic rc.d links for qmail, use the following commands: 
root@deep / chkconfig --add qmail 
root@deep / chkconfig --level 2345 qmail on 


e To start qmail software manually, use the following command: 
root@deep / /etc/re.d/init.d/qmail start 
Starting qmail: [OK] 




















NOTE: All software we describe in this book has a specific directory and subdirectory in the tar 
compressed archive named floppy-2.0.tgz containing configuration files for the specific 
program. If you get this archive file, you wouldn’t be obliged to reproduce the different 
configuration files manually or cut and paste them to create or change your configuration files. 
Whether you decide to copy manually or get the files made for your convenience from the archive 
compressed files, it will be to your responsibility to modify them to adjust for your needs, and 
place the files related to this software to the appropriate places on your server. The server 
configuration file archive to download is located at the following Internet address: 
ftp://ftp.openna.com/ConfigFiles-v2.0/floppy-2.0.tgz. 
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Running qmail as a standalone null client 

This section applies only if you chose to install and use qmail as a Standalone Mail Server in 
your system. As for Sendmail null client setup (nul1.mc), we can configure qmail local clients 
machines to never receive mail directly from the outside world, but to relay (send) all their mail 
through a centralized mail service known as a Mail Hub Server. Contrary to the Sendmail setup, 
which requires a special macro file named null.mc, qmail in its default install can easily be 
configured to run as a standalone mail server. Configuring qmaii to run into this null client 
configuration mode will work with any kind of Central Mail Hub Server in the other side. 


Step 1 

Here we need to set up the null client of gmail to send all local mail to the Central Mail Hub (i.e. 
boreas.openna.com). To do it we need to create a new file named smtproutes under 
/var/qmail/control directory and add inside this file the FODN or domain name of the remote 


Mail Hub which handle all mail for our null client Mail Server. The “:” mean to transfer all outgoing 
mail through “openna.com” domain name. 


e Tocreate the smtproutes file, use the following commands: 
[root@deep /]# echo :smtp.openna.com > /var/qmail/control/smtproutes 
[root@deep /]# chmod 644 /var/qmail/control/smtproutes 


In the above example, <:smtp.openna.com> is the domain name of our Central Mail Hub 
Server where we want to send all outgoing mail messages. 


Step 2 

Now it’s important to stop our local null client Mail Server delivering mail locally. This is important 
since we want to forward all local mail to the Mail Hub Server. The solution is to remove the 
“localhost” entry into the /var/qmail/control/locals file on null client server. 





e §=6Edit the locals file (vi /var/qmail/control/locals), and remove the line 


localhost 








WARNING: It’s important to be sure that the Mx record is set up properly in your DNS (Domain 
Name Server) server before you do this. Also be sure that ucspi-tcp and checkpassword 
packages are not installed. A qmail null client doesn’t need those programs. 





Step 3 
Finally, it’s important to restart qmail null client Mail Server for the changes to take effect. 


e To restart qmail, use the following command: 
[root@deep /]# /etc/re.d/init.d/qmail restart 
Stopping qmail: [OK] 

Starting qmail: [OK] 








NOTE: Don’t forget to use the null client initialization script file of qmail and not the regular one for 
this setup. This is important since gmail-—smtpd and gmail-—popd3 must be turned off in this 
configuration. We don’t need to have those daemons running and open in background. 
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Running gmail with SSL support 

There is a patch, which implements RFC2487 in gmail. This means you can get SSL or TLS 
encrypted and authenticated SMTP between the MTAs and between MTA and an MUA like 
Netscape Or MS Out look. The code is considered experimental and can be found at: 
http://www.esat.kuleuven.ac.be/~vermeule/qmail/tls.patch 


Securing qmail 

This section deals especially with actions we can make to improve and tighten security under 
qmail. Related to its highly secure nature, there is not lot of things we can do here if it’s not to 
improve security for its null client part. 


Running qmail as an extremely secure standalone client (mini-qmail) 

This section applies only if you chose to install and use qmail as a Standalone Mail Server in 
your system. We have already and successfully configured qmail to run as a standalone Mail 
Server previously. Here we'll show you how to run it in a much more secure manner. The 
difference with the previous null client configuration of qmail is the fact that in this set up, the 
Central Mail Hub Server at the other side must be a qmail server. This kind of configuration is 
known as a mini-qmail installation. A mini-qmail installation doesn't have a mail queue; instead it 
gives each new message to a central server through OMoP (see further up under the section 
‘J/etc/qmgp.tcp: The gmail qmaqp.tcp File’ for more information about QMOP). 


Step 1 
With qmail running as a standalone mail server under a mini-qmail configuration, you don't need 
/var/qmail/alias. A mini-qmail installation doesn't do any local delivery. 


e Toremove the /var/qmail/alias directory, use the following command: 
[root@deep /]# rm -rf /var/qmail/alias 


Step 2 
A null client don't need qmail entries in /etc/group and /etc/passwd. A mini-qmail runs with 
the same privileges as the user sending mail; it doesn't have any of its own files. 


e Remove all qmail users and groups from your system with the following commands: 

















root@deep / userdel alias 
root@deep / userdel qmaild 
root@deep / userdel qmaill 
root@deep / userdel qmailp 
root@deep / userdel qmailgq 
root@deep / userdel qmailr 
root@deep / userdel qmails 
root@deep / groupdel qmail 
root@deep / groupdel nofiles 
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Step 3 

A mini-qmail installation doesn’t need to start anything from the boot scripts. A null client doesn't 
have a queue, so it doesn't need a long-running queue manager and doesn't receive incoming 
mail. 


e Deactive the /etc/rce.d/init.d/gqmail initialization file with the following commands: 
[root@deep /]# chkconfig --level 2345 qmail off 
[root@deep /]# chkconfig --del qmail 
[root@deep /]# rm -£ /etc/re.d/init.d/qmail 


Step 4 
Since we run a highyl secure and fast null client, there are many qmail binaries that we can 
remove from the /var/qmail/bin directory of the system. 


e Remove all non needed qmail binaries from the system with the following commands: 
root@deep / rm -f£ /var/qmail/bin/bouncesaying 














root@deep / rm -£ /var/qmail/bin/condredirect 
root@deep / rm -£ /var/qmail/bin/except 
root@deep / rm -£ /var/qmail/bin/preline 
root@deep / rm -£ /var/qmail/bin/qbiff 
root@deep / rm -£ /var/qmail/bin/qmail-clean 
root@deep / rm -£ /var/qmail/bin/qmail-getpw 
root@deep / rm -£ /var/qmail/bin/qmail-local 
root@deep / rm -£ /var/qmail/bin/qmail-lspawn 
root@deep / rm -£ /var/qmail/bin/qmail-newmrh 
root@deep / rm -£ /var/qmail/bin/qmail-newu 
root@deep / rm -£ /var/qmail/bin/qmail-—pop3d 
root@deep / rm -f£ /var/qmail/bin/qmail—popup 
root@deep / rm -f£ /var/qmail/bin/qmail-—pw2u 
root@deep / rm -£ /var/qmail/bin/qmail-—qmqpd 
root@deep / rm -£ /var/qmail/bin/qmail-—queue 
root@deep / rm -£ /var/qmail/bin/qmail-remote 
root@deep / rm -£ /var/qmail/bin/qmail-rspawn 
root@deep / rm -£ /var/qmail/bin/qmail-qmtpd 
root@deep / rm -£ /var/qmail/bin/qmail-send 
root@deep / rm -£ /var/qmail/bin/qmail-smtpd 
root@deep / rm -£ /var/qmail/bin/qmail-start 
root@deep / rm -£ /var/qmail/bin/qmail-tcpok 
root@deep / rm -£ /var/qmail/bin/qmail-tcpto 
root@deep / rm -£ /var/qmail/bin/qreceipt 
root@deep / rm -£ /var/qmail/bin/qsmhook 
root@deep / rm -£ /var/qmail/bin/splogger 

/ 


root@deep rm -£ /var/qmail/bin/tcp-env 








NOTE: Be sure that ucspi-tcp and checkpassword packages are not installed. A mini-qmail 
configuration doesn’t need these programs. 





Step 5 

One of the last steps to do is to create a symbolic link to gnail-qmapc from 
/var/qmail/bin/qmail-queue. The qmail-qmaqpc offers the same interface as qmail- 
queue, but it gives the message to a QMOP server instead of storing it locally. 


e Tocreate the symbolic link, use the following command: 
[root@deep /]# ed /var/qmail/bin 
[root@deep /]# 1n -s qmail-qmqpce /var/qmail/bin/qmail-—queue 
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Step 6 

Now, it’s important to create a list of IP addresses of OMOP servers, one pert line, in 
/var/qmail/control/qmgpservers. The qmail-qmapc utility will try each address in turn 
until it establishes a QMQP connection or runs out of addresses. 


e Tocreate alist of IP addresses of OMOP servers, use the following command: 
[root@deep /]# touch /var/qmail/control/qmgqpservers 


e =©Edit the qmqpservers file (vi /var/qmail/control/qmqpservers), and add the 
FQDN of your Mail Hub Server in the list: 


boreas.openna.com 








NOTE: In this example, we assume that you have only one Central Mail Hub Server located at 
boreas.openna.com. if you handle more than one Mail Hub Server, then don’t forget to add its 
FQDN (Fully Qualified Domain Name) in the list (one per line). 





Step 7 

After that, you need a copy of /var/qmail/control/me, 
/var/qmail/control/defaultdomain, and /var/qmail/control/plusdomain files 
from your qmail Central Mail Hub Server, so that the gmail-inject program uses appropriate 
host names in outgoing mail. You must copy these qmail files from the remote Central Mail Hub 
Server to your /var/gqmail/control directory on the local null client mini-qmail Mail Server. 








WARNING: It’s important that the remote Mail Hub is a qmail Mail Hub Server and not a 
Sendmail Mail Hub Server or you will not be able to get those required files for the local null 
client mini-qmail Mail server. Remember that Sendmail don’t use the same file that qmail use. 





Step 8 

Finally, we must create a new file named idhost under /var/qmail/control directory on the 
mini-qmail Mail server which will contain its host's name, so that qmail-inject program 
generates Message-ID without any risk of collision. 


e Create the idhost file (touch /var/qmail/control/idhost), and add: 
cronus.openna.com 


Where <cronus.openna.com> is a fully-qualified name within the domain. Therefore, don’t 
forget to put in this file your own current host's name of your mini-qmail Mail server. 
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For more details about qmail program, there are several manual pages you can read. | highly 
recommend you to take the time and run through them. By doing this, you’ll be more comfortable 
with the way qmail work. 
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man 
man 
man 
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man 
man 
man 
man 
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man 
man 
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man 
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man 
man 
man 
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man 


bouncesaying (1) 
condredirect (1) 
except (1) 
forward (1) 
maildir2mbox (1) 
maildirmake (1) 
maildirwatch (1) 
mailsubj (1) 
preline (1) 
qbiff (1) 
qreceipt (1) 
tcp-env (1) 
addresses (5) 
mbox (5) 
dot-qmail (5) 











envelopes (5) 
maildir (5) 
gqmail-control (5) 
qmail-header (5) 
qmail-log (5) 
gqmail-users (5) 
tcp-environ (5) 
forgeries (7) 
gmail (7) 
qmail-limits (7) 
qmail-newu (8) 
gqmail-command (8) 
qmail-getpw (8) 
qmail-inject (8) 
qmail-local (8) 
qmail-lspawn (8) 
qmail-newmrh (8) 
qmail-pop3d (8) 
qmail-popup (8) 
qmail-pw2u (8) 
qmail-qmgpc (8) 
gqmail-qmgpd (8) 
gqmail-qmtpd (8) 
qmail-send (8) 
qmail-qread (8) 
qmail-qstat (8) 
qmail-queue (8) 
qmail-remote (8) 
qmail-rspawn (8) 
gqmail-showctl (8) 
qmail-smtpd (8) 
qmail-start (8) 
qmail-tcpok (8) 
qmail-tcpto (8) 





splogger (8) 


bounce each incoming message 

redirect mail to another address 

reverse the exit code of a program 
forward new mail to one or more addresses 
move mail from a maildir to an mbox 
create a maildir for incoming mail 

look for new mail in a maildir 

send a mail message with a subject line 
prepend lines to message 

announce new mail the moment it arrives 
respond to delivery notice requests 

set up TCP-related environment variables 
formats for Internet mail addresses 

file containing mail messages 

control the delivery of mail messages 
sender/recipient lists attached to messages 
directory for incoming mail messages 
qmail configuration files 

format of a mail message 

the qmail activity record 

assign mail addresses to users 
TCP-related environment variables 

how easy it is to forge mail 

overview of qmail documentation 

artificial limits in the qmail system 
prepare address assignments for qmail-lspawn 
user-specified mail delivery program 

give addresses to users 

preprocess and send a mail message 
deliver or forward a mail message 
schedule local deliveries 

prepare morercpthosts for qmail-smtpd 
distribute mail via POP 

read a POP username and password 
build address assignments from a passwd file 
queue a mail message via QMQP 

receive mail via QMQP 

receive mail via QMTP 

deliver mail messages from the queue 

list outgoing messages and recipients 
summarize status of mail queue 

queue a mail message for delivery 

send mail via SMTP 

schedule remote deliveries 

analyze the qmail configuration files 
receive mail via SMTP 

turn on mail delivery 

clear TCP timeout table 

print TCP timeout table 

make entries in syslog 
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qmail Administrative Tools 
The commands listed below are some that we use often, but many more exist. Check the manual 
pages and documentation of qmail for more information. 


qmail-showctl 

This command utility allows you to analyze your existing qmail configuration files on the system 
and explains the current qmail configuration. It can be useful when you want to verify if 
modifications made to your configuration files have been updated by the system. 


e Torun gmail-showctl1, use the following command: 
[root@deep /]# /var/qmail/bin/qmail-showctl 
qmail home directory: /var/qmail. 
user-ext delimiter: 
paternalism (in decimal): 2. 
silent concurrency limit: 120. 
subdirectory split: 23. 
user ids: 82, 81, 86, O, 
group ids: 81, 82. 





87, 83, 84, 85. 


badmailfrom: (Default.) 


bouncefrom: 


Any MAIL FROM is allowed. 

(Default.) Bounce user name is MAITLER-DAEMON. 
bouncehost: (Default.) Bounce host name is boreas.openna.com. 
concurrencylocal: (Default.) Local concurrency is 10. 
concurrencyremote: (Default.) Remote concurrency is 20. 

databytes: (Default.) SMTP DATA limit is 0 bytes. 

defaultdomain: Default domain name is openna.com. 

defaulthost: (Default.) Default host name is boreas.openna.com. 
doublebouncehost: (Default.) 2B recipient host: boreas.openna.com. 
doublebounceto: (Default.) 2B recipient user: postmaster. 
envnoathost: (Default.) Presumed domain name is boreas.openna.com. 
helohost: (Default.) SMTP client HELO host name is boreas.openna.com. 
idhost: (Default.) Message-ID host name is boreas.openna.com. 
localiphost: (Default.) Local IP address becomes boreas.openna.com. 






































locals: 
Messages for localhost are delivered locally. 
Messages for boreas.openna.com are delivered locally. 





























me: My name is boreas.openna.com. 

percenthack: (Default.) The percent hack is not allowed. 

plusdomain: Plus domain name is openna.com. 

gqmgqpservers: (Default.) No QMOP servers. 

queuelifetim (Default.) Message lifetime in the queue is 604800 sec. 
repthosts: 

SMTP clients may send messages to recipients at localhost. 

SMTP clients may send messages to recipients at boreas.openna.com. 
SMTP clients may send messages to recipients at .openna.com. 

SMTP clients may send messages to recipients at .customer.com. 
morercpthosts: (Default.) No effect. 

morercpthosts.cdb: (Default.) No effect. 

smtpgreeting: (Default.) SMTP greeting: 220 boreas.openna.com. 
smtproutes: (Default.) No artificial SMTP routes. 

timeoutconnect: (Default.) SMTP client connection timeout is 60 seconds. 
timeoutremot (Default.) SMTP client data timeout is 1200 seconds. 
timeoutsmtpd: (Default.) SMTP server data timeout is 1200 seconds. 
virtualdomains: (Default.) No virtual domains. 
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qmail-qread 

This command utility is used to list outgoing messages and recipients on the system in human- 
readable format. If you want to see your queue messages in the system, then you must use the 
qmail-qread command. gmail-qread scans the queue for messages that haven't been 
completely delivered yet. If a message has multiple recipients, it's not unusual for some of the 
recipients to receive the message before others. 


e To scans the outgoing queue of messages, use the following command: 
[root@deep /]# qmail-qread 








NOTE: If you want to process qmail queues manually, you can send an ALRM signal to qmail- 
send daemon to have it run through everything in the queue immediately. 
E.g.,"killall -ALRM qmail-sena" 





qmail-qstat 
The gmail-qstat command gives a human-readable breakdown of the number of messages at 
various stages in the mail queue. To summarize, it summarizes the status of your mail queue. 


e To see the status of your mail queue, use the following command: 
[root@deep /]# qmail-qstat 
messages in queue: 0 
messages in queue but not yet preprocessed: 0 





qmail Users Tools 


The commands listed below are some that we use often, but many more exist. Check the manual 
page and documentation of qmail for more information. 


maildirwatch 

The “maildirwatch” program is used to look for new users mail in a maildir inside terminal 
screem. This is the program we use to replace the mailx package we have uninstalled 
previously durring installation of gmail. Recall that the maildirwatch tool is more reliable, fast 
and secure then mailx. 








NOTE: If you receive an error message like: maildirwatch: fatal: MAILDIR not set 


It is because you have forgotten to "give it" the MATLDIR variable, for instance: 
export MAILDIR=$HOME/Maildir 
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List of installed qmail files on your system 


> /etc/skel/Maildir 

> /etc/skel/Maildir/tmp 

> /etc/skel/Maildir/new 

> /etc/skel/Maildir/cur 

> /etc/tcp.smtp 

> /etc/tcp.smtp.cdb 

> /etc/qmaqp.tcp 

> /etc/qmqp.cdb 

> /etc/dot-qmail 

> /usr/bin/maildir2mbox 

> /usr/bin/mailq 

> /usr/bin/maildirmake 

> /usr/bin/maildirwatch 

> /usr/bin/qmail-qread 

> /usr/bin/qmail-qstat 

> /usr/lib/sendmail 

> /usr/share/man/man1/bouncesaying. 1 
> /usr/share/man/man1/condredirect.1 
> /usr/share/man/man1/except.1 

> /usr/share/man/man1/forward. 1 

> /ustr/share/man/man1/maildir2mbox.1 
> /ustr/share/man/man1/maildirmake. 1 
> /ustr/share/man/man1/maildirwatch. 1 
> /usr/share/man/man1/mailsubj. 1 

> /usr/share/man/man1/preline.1 

> /usr/share/man/man1 /qbiff.1 

> /usr/share/man/man1/qreceipt.1 

> /usr/share/man/man1/tcp-env.1 

> /usr/share/man/man5/addresses.5 
> /usr/share/man/man5/mbox.5 

> /usr/share/man/man5/dot-qmail.5 

> /usr/share/man/man5/envelopes.5 
> /usr/share/man/man5/maildir.5 

> /usr/share/man/man$/qmail-control.5 


> /ust/share/man/man5/qmail-header.5 
> /usr/share/man/man5/qmail-log.5 

> /usr/share/man/man5/qmail-users.5 
> /usr/share/man/man5/tcp-environ.5 

> /usr/share/man/man7/forgeries.7 

> /ust/share/man/man7/qmail.7 

> /usr/share/man/man7/qmail-limits.7 

> /ust/share/man/man8/qmail-newu.8 
> /usr/share/man/man8/qmail-command.8 
> /usr/share/man/man8/qmail-getpw.8 
> /usr/share/man/man8/qmail-inject.8 

> /usr/share/man/man8/qmail-local.8 

> /ust/share/man/man8/qmail-lspawn.8 
> /usr/share/man/man8/qmail-newmrh.8 
> /usr/share/man/man8/qmail-pop3d.8 
> /usr/share/man/man8/qmail-popup.8 
> /usr/share/man/man8/qmail-pw2u.8 
> /ust/share/man/man8/qmail-qmqpc.8 
> /usr/share/man/man8/qmail-qmapd.8 
> /ust/share/man/man8/qmail-qmtpd.8 
> /usr/share/man/man8/qmail-send.8 

> /usr/share/man/man8/qmail-qread.8 
> /usr/share/man/man8/qmail-qstat.8 

> /usr/share/man/man8/qmail-queue.8 
> /ust/share/man/man8/qmail-remote.8 
> /usr/share/man/man8/qmail-rspawn.8 
> /usr/share/man/man8/qmail-showctl.8 
> /usr/share/man/man8/qmail-smtpd.8 
> /usr/share/man/man8/qmail-start.8 

> /ust/share/man/man8/qmail-tcpok.8 
> /usr/share/man/man8/qmail-tcpto.8 

> /ust/share/man/man8/splogger.8 

> /var/qmail 


List of installed ucspi-tcp files on your system 


> /usr/bin/tcpserver 

> /usr/bin/tcprules 

> /usr/bin/tcprulescheck 
> /usr/bin/argvO 

> /usr/bin/recordio 

> /usr/bin/who@ 

> /usr/bin/tcpclient 

> /usr/bin/date@ 

> /usr/bin/finger@ 


> /usr/bin/http@ 

> /usr/bin/tcpcat 

> /usr/bin/mconnect 

> /usr/bin/mconnect-io 
> /usr/bin/addcr 

> /usr/bin/delcr 

> /ustr/bin/fixcrio 

> /ust/bin/rblsmtpd 


List of installed checkpassword files on your system 


> /bin/checkpassword 
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Part IX Internet Message Access Protocol Related Reference 
In this Part 


Internet Message Access Protocol - UW IMAP 


An Internet Message Access Protocol server provides access to personal mail and system-wide 
bulletin boards. It is the software that runs in the background and allows users, which use a Mail 
User Agent (MUA) program like Net scape Messenger or MS Out Look to transparently access 
and read mail on the server. It is important to note that an Internet Message Access Protocol 
server is not required on all servers but only on a mail server that runs as a Central Mail Hub 
Server. It is not every Mail Transfer Agent (MTA) which can run with UW IMAP, this is especially 
true for qmail. If you have installed Sendmail as a Mail Hub Server, then you must install an 
Internet Message Access Protocol server like Uw IMAP to let users access and read mail on the 
Sendmail Central Mail Hub Server. In the other hand, if you have installed qmail as your 
Central Mail Hub Server, then you can skip this part of the book and continuing your reading. 
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22 Internet Message Access Protocol - UW IMAP 
In this Chapter 


Compiling - Optimizing & Installing UW IMAP 
Configuring UW IMAP 

Enable IMapP or POP services via Xinetd 
Securing UW IMAP 

Running UW IMAP with SSL support 
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Linux UW IMAP Servers 


Abstract 

imap-2001 is a major release, it now supports SSL client functionality for IMAP, POP3, SMTP, 
and NNTP; With this new release of the UW IMAP software you don't need any separate SSL 
modules anymore, that's why | recommend it. If you have configured Sendmail as a Central Mail 
Hub Server, you must install Uw IMAP software or you'll not be able to use the advantage of your 
Linux Mail Server, since Sendmail is just software that sends mail from one machine to another, 
and nothing else. A mail server is a server that is running one or more of the following: an IMAP 
server, a POP3 server, a POP2 server, or an SMTP server. An example of SMTP server is 
Sendmail that must be already installed on your Linux server as a Central Mail Hub before 
continuing with this part of the book. For now, we are going to cover installing IMAP 4, POP3, and 
POP 2, which all come in a single package. 


With uw IMAP software, a remote “client” email program can access message stored on the Linux 
mail server as if they were local. For example, email received and stored on an IMAP server fora 
user can be manipulated from his/her computer at home, office, etc, without the need to transfer 
messages or files back and forth between these computers. 


POP stands for “Post Office Protocol” and simply allows you to list messages, retrieve them, and 
delete them. IMAP that stands for (Internet Message Access Protocol) is POP on steroids. It 
allows you to easily maintain multiple accounts, have multiple people access one account, leave 
mail on the server, just download the headers, or bodies, no attachments, and so on. IMAP is 
ideal for anyone on the go, or with serious email needs. The default POP and IMAP servers that 
most distributions ship fulfill most needs and with the addition of SSL capability Uw IMAP become 
now a very powerful, strong and secure program. 


Disclaimer 

Export Regulations. Software, including technical data, is subject to U.S. export control laws, 
including the U.S. Export Administration Act and its associated regulations, and may be subject to 
export or import regulations in other countries. Licensee agrees to comply strictly with all such 
regulations and acknowledges that it has the responsibility to obtain licenses to export, re-export, 
or import Software. Software may not be downloaded, or otherwise exported or re-exported (i) 
into, or to a national or resident of, Cuba, Iraq, Iran, North Korea, Libya, Sudan, Syria or any 
country to which the U.S. has embargoed goods; or (ii) to anyone on the U.S. Treasury 
Department's list of Specially Designated Nations or the U.S. Commerce Department's Table of 
Denial Orders. 
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Internet Message Access Protocol 







+ Everyone from home, work, on the road etc 
can access electronic mail or bulettin board 
messages that are kept on the Mail Server 

Router 

207.35.78.1 


External HUB 


Adding UW IMAP to the 

Central Mail Hub Server will permits 
a "client" email program to access 
remote message stores as if they 
were local 


CENTRAL MAIL HUB SERVER 
Sendmail Mail Server with UW IMAP 
207.35.78.4 
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These installation instructions assume 

Commands are Unix-compatible. 

The source path is /var/tmp (note that other paths are possible, as personal discretion). 
Installations were tested on Red Hat 7.1. 

All steps in the installation will happen using the super-user account “root”. 

Whether kernel recompilation may be required: No 

Latest UW IMAP version number is 2001 


Packages 
The following is based on information as listed by UW IMAP as of 2001/03/25. Please regularly 
check at www.washington.edu/imap/ for the latest status. 


Source code is available from: 


UW IMAP Homepage: http://www.washington.edu/imap/ 
UW IMAP FTP Site: 140.142.3.227, 140.142.4.227 


You must be sure to download: imap-2001.BETA.tar.Z 





Prerequisites 

UW IMAP requires that the listed software below be already installed on your system to be able to 
compile successfully. If this is not the case, you must install them from source archive files. 
Please make sure you have all of these programs installed on your machine before you proceed 
with this chapter. 


¥ OpenSSL, which enables support for SSL functionality, must already be installed on your 
system to be able to use the IMAP & POP SSL features. 


¥  Xinetd must already be installed on your system to be able to control, start, and stop 
the IMAP & POP servers. 


¥ Sendmail should be already installed on your system to be able to use UW IMAP. 








NOTE: For more information on the required software, see the related chapters in this book. 





Pristine source 

If you don’t use the RPM package to install this program, it will be difficult for you to locate all 
installed files into the system in the eventuality of an updated in the future. To solve the problem, 
it is a good idea to make a list of files on the system before you install Uw IMAP, and one 
afterwards, and then compare them using the diff utility of Linux to find out what files are 
placed where. 


e Simply run the following command before installing the software: 
root@deep /root find /* > IMAP1 


e And the following one after you install the software: 
root@deep /root find /* > IMAP2 


e Then use the following command to get a list of what changed: 
root@deep /root diff IMAP1 IMAP2 > IMAP-Installed 
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With this procedure, if any upgrade appears, all you have to do is to read the generated list of 
what files were added or changed by the program and remove them manually from your system 
before installing the new software. Related to our example above, we use the /root directory of 
the system to stock all generated list files. 


Compiling - Optimizing & Installing UW IMAP 

Below are the required steps that you must make to compile and optimize the UW IMAP software 
before installing it into your Linux system. There are some files to modify by specifying the 
installation paths, compilation and optimizations flags for the Linux system. We must hack those 
files to be compliant with our Linux file system structure and install/optimize UW IMAP under our 
PATH Environment variable. 


Step 1 
Once you get the program from the main software site you must copy it to the /var/tmp 
directory and change to this location before expanding the archive. 


e These procedures can be accomplished with the following commands: 
[root@deep /]# cp imap-version.tar.Z /var/tmp/ 
[root@deep /]# cd /var/tmp/ 
[root@deep tmp]# tar xzpf imap-version.tar.Z 


Step 2 
After that, move into the newly created UW IMAP directory and perform the following steps before 
compiling and optimizing it. 


e To move into the newly created UW IMAP directory use the following command: 
[root@deep tmp]# cd imap-2001/ 


Step 3 
It is important to set our optimization flags for the compilation of Uw IMAP software on the server 
and change some default installation path to reflect our environment under Linux. 


e Edit the Makefile file (vi +425 src/osdep/unix/Makefile) and change the line: 





BASECFLAGS="-g -fno-omit-—frame-pointer -06" \ 





To read: 


BASECFLAGS="-03 -march=i686 -mcpu=i686 -funroll-loops -fno-omit-—frame- 
pointer" \ 








NOTE: You will see many identical or similar lines related to different operating systems in this file. 
The one, which interests us here, is named “1np” for Linux Pluggable Authentication modules. It 

is under this section that we must change the above line. This is important since from release to 

release this line might change with the addition of new code. 
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e Edit the Makefile file (vi +100 src/osdep/unix/Makefile) and change the line: 


CC=cc 


To read: 


CC=gcc 








NOTE: Pay special attention to the compile BASECFLAGS line above. We optimize UW IMAP for an 
i686 CPU architecture with the parameter “-march=i686 and —mcpu=i686”. Please don’t forget 
to adjust the above optimization FLAGS to reflect your own system and CPU architecture. 








e =6Edit the Makefile file (vi +72 src/osdep/unix/Makefile) and change the lines: 





ACTIVEFIL 











To read: 


E=/usr/lib/news/active 


ACTIVEFILE=/var/lib/news/active 


SPOOLDIR=/usr/spool 


To read: 


SPOOLDIR=/var/spool 


RSHPATH=/usr/ucb/rsh 


To read: 


RSHPATH=/usr/bin/rsh 


LOCKPGM=/etc/mlock 


To read: 


#LOCKPGM=/etc/mlock 











NOTE: The “ACTIV 





EFIL 





E=" line specifies the path of the “active” directory for UW IMAP, the 





“SPOOLDIR=”" Is where reside the “spool” directory of Linux UW IMAP, and the “RSHPATH=” 
specify the path for “rsh” directory on our system. It’s important to note that we don’t use rsh 
services on our server, but even so, we specify the right directory to “rsh”. 
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Step 4 

This section applies only if you want to run IMAP & POP servers through SSL connection. The 
default installation of Uw IMAP assumes that OpenSSL, which is required for IMAP /POP with 
SSL, support has been built under /usr/local/ss1 directory, but because we have a non- 
standard installation (OpenSSL is under /usr/share/ssl, /usr/lib and 
/usr/include/openss1 directories), we must modify the src/osdep/unix/Makefile file to 
point to the appropriate locations. 


e §=6Edit the Makefile file (vi +31 src/osdep/unix/Makefile) and change the lines: 
SSLDIR=/usr/local/ssl 


To read: 


SSLDIR=/usr/share/ssl 


SSLINCLUDE=S (SSLDIR) /include 








To read: 


SSLINCLUDE=S§ (SSLDIR)/../../include 


SSLLIB=$ (SSLDIR) /lib 


To read: 


SSLLIB=$ (SSLDIR) /../../lib 


Step 5 

Now, we must make a list of files on the system before you install the software, and one 
afterwards, then compare them using the diff utility to find out what files are placed where and 
finally install Uw IMAP in the server: 


root @deep 
root @deep 


root @deep 





/coot]# ed 
imap-2001 


imap-2001 














root@deep imap-2001 make lnp SSLTYPE=unix 
root@deep imap-2001 cd 
root@deep /root]# find /* > IMAP1 


/var/tmp/imap-2001/ 


install 


/usr/share/man/man8/ipopd. 8c 


install 


/usr/share/man/man8/imapd. 8c 


—m444 ./src/ipopd/ipopd. 8c 


—m444 ./src/imapd/imapd.8c 


root@deep imap-2001 install -s -m755 ./ipopd/ipop3d /usr/sbin/ 
root@deep imap-2001 install -s -m755 ./imapd/imapd /usr/sbin/ 
root@deep imap-2001 install -m644 ./c-client/c-client.a /usr/lib 
root@deep imap-2001 in -s /usr/lib/c-client.a /usr/lib/libc-client.a 
root@deep imap-2001 mkdir -p /usr/include/imap 

root@deep imap-2001 install -m644 ./c-client/*.h /usr/include/imap/ 
root@deep imap-2001 install -m644 ./src/osdep/tops—20/shortsym.h 
/usr/include/imap/ 

root@deep imap-2001 cd 


root@deep /root]# find /* > IMAP2 
root@deep /root]# diff IMAP1 IMAP2 > IMAP-Installed 


507 


UW IMAP |2 
CHAPTER} 2 


The above commands will configure the software to ensure your system has the necessary 
libraries to successfully compile the package, compile all source files into executable binaries, 
and then install the binaries and any supporting files into the appropriate locations. Note that the 
make lnp command above will configure your Linux system with Pluggable Authentication 
Modules (PAM) capability for better password security. 


The ‘SSLTYPE=unix’ parameter will build Uw IMAP with SSL capability enabled. If you don’t want 
to include SSL support with Uw IMAP, then all you have to do is to omit the ‘SSLTYPE=unix’ 
parameter in your compile line above, but be aware that you can always run UW IMAP without SSL 
support even if you have included the ‘SSLTYPE=unix’ parameter in your compilation to enable 
SSL support into the software. 


The mkdir command will create a new directory named “imap” under /usr/include. This new 
directory “imap” will keep all header development files related to the imapd program “c- 
client/*.h”, and “shortsym.h’ files. The ln -s command would create a symbolic link from 
“c-client.a’” file to “Libc-client.a” which may be required by some third party programs 
that you might install in the future. 








NOTE: For security reasons, if you only use imapd service, remove the ipop2d and ipop3d 
binaries from your system. The same applies for ipop2d or ipop3d; if you only use ipop2d or 
ipop3d service then remove the imapd binary from your server. If you intend to use imapd, 
ipop2d and ipop3d services all together then keep all binaries. 





Step 6 

Once compilation, optimization and installation of the software have been finished, we can free up 
some disk space by deleting the program tar archive and the related source directory since they 
are no longer needed. 


e Todelete UW IMAP and its related source directory, use the following commands: 
[root@deep /]# cd /var/tmp/ 
[root@deep tmp]# rm -rf imap-version/ 
[root@deep tmp]# rm -f imap-version.tar.Z 


The rm command as used above will remove all the source files we have used to compile and 


install Uw IMAP. It will also remove the UW IMAP compressed archive from the /var/tmp 
directory. 
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Configuring UW IMAP 
After UW IMAP has been built and installed successfully in your system, your next step is to 
configure and customize UW IMAP configuration files. Those files are: 


¥  /etc/pam.d/imap (The IMAP PAM Support Configuration File) 
¥  /etc/pam.d/pop (The POP PAM Support Configuration File) 


/etc/pam.d/imap: The IMAP PAM Support Configuration File 

During compilation of UW IMAP, we have compiled the software to use Pluggable Authentication 
Modules (PAM) capability with the ‘make 1np’ command. Now, we must configure the software to 
use PAM password authentication support or nothing will work. Do to that, you must create the 
/etc/pam.d/imap file. This PAM file is required only if you intended to provide IMAP service in 
your system. 


e Create the imap file (touch /etc/pam.d/imap) and add the following lines: 








#SPAM-1.0 
auth required /lib/security/pam_stack.so service=system-auth 
account required /lib/security/pam_stack.so service=system-auth 


/etc/pam.d/pop: The POP PAM Support Configuration File 

As for the IMAP PAM file above, if you intended use PoP instead of IMAP service, you must 
configure the software to use PAM password authentication support or nothing will work. Do to 
that, create the /etc/pam.d/pop file. This PAM file is required only if you intended to provide 
POP service in your system. If you want to provide IMAP and POP support, then you must create 
and use the both files (/etc/pam.d/imap and /etc/pam.d/pop). 


e Create the pop file (touch /etc/pam.d/pop) and add the following lines: 





#SPAM-1.0 
auth required /lib/security/pam_stack.so service=system-auth 
account required /lib/security/pam_stack.so service=system-auth 








Enable IMAP or POP services via Xinetd 

Xinetd Is the successor of inetd and tcp_wrappers, it is more secure, powerful and faster, 
therefore | recommend you use it instead of inetd and tcp_wrappers to control IMAP & POP 
servers. The super server Xinetd take care of starting and stopping IMAP or POP servers. Upon 
execution, Xinetd reads its configuration information from a configuration file which, by default, 
is /etc/xinetd.conf. 


Below we show you four different examples, which can be used to start IMAP or POP services 
depending of your needs. 
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Example 1 
Here is the sample /etc/xinetd.conf entry for IMAP service (imap): 


e Edit the xinetd.conf file(vi /etc/xinetd.conf) and enter your requirements 
under the services sections Of this file. Below is the required configuration lines we 
recommend you add to enable the imap service: 


# description: The IMAP service allows remote users to access their \ 
# mail using an IMAP client such as Mutt, Pine, \ 

# fetchmail, or Netscape Communicator. 

service imap 


{ 


socket_type = stream 

wait = no 

user = root 

server = /usr/sbin/imapd 


0.0.0.0/0 localhost 
= DURATION USERID 

= USERID 

-2 


only from 
log_on_success 
log_on_failure 
nice 


i++ ll 


Example 2 
This section applies only if you want to run IMAP server through SSL connection. Here is the 
sample /etc/xinetd.conf entry for IMAP service with SSL support (imaps): 


e Edit the xinetd.conf file(vi /etc/xinetd.conf) and enter your requirements 
under the services sections Of this file. Below is the required configuration lines we 
recommend you add to enable the imaps service: 


# description: The IMAP service allows remote users to access their \ 
# mail using an IMAP client with SSL support such as \ 
# Netscape Communicator or fetchmail. 

service imaps 


{ 


socket_type = stream 

wait = no 

user = root 

server = /usr/sbin/imapd 


only from 0.0.0.0/0 localhost 


log_on_success += DURATION USERID 
log_on_failure += USERID 
nice = -2 
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Example 3 
Here is the sample /etc/xinetd.conf entry for POP3 service (pop3): 


e Edit the xinetd.conf file(vi /etc/xinetd.conf) and enter your requirements 
under the services sections Of this file. Below is the required configuration lines we 
recommend you add to enable the pop3 service: 


# description: The POP3 service allows remote users to access their \ 

# mail using an POP3 client such as Netscape Communicator, \ 
# mutt, or fetchmail. 

service pop3 


{ 


socket_type = stream 

wait = no 

user = root 

server = /usr/sbin/ipop3d 
only from = 0.0.0.0/0 localhost 
log_on_success += USERID 
log_on_failure += USERID 

nice = -2 


Example 4 
This section applies only if you want to run POP3 server through SSL connection. Here is the 
sample /etc/xinetd.conf entry for POP3 service with SSL support (pop3s): 


e Edit the xinetd.conf file(vi /etc/xinetd.conf) and enter your requirements 
under the services sections Of this file. Below is the required configuration lines we 
recommend you add to enable the pop3s service: 


# description: The POP3S service allows remote users to access their \ 
# mail using an POP3 client with SSL support such as 
fetchmail. 

service pop3s 


{ 


socket_type = stream 

wait = no 

user = root 

server = /usr/sbin/ipop3d 
only from = 0.0.0.0/0 localhost 
log_on_success += USERID 
log_on_failure += USERID 

nice = -2 








NOTE: To my knowledge, the only POP3 client which supports POP3 with SSL technology is 
fetchmail; therefore don’t try to use Net scape or Out look to read your mail through pop3s. 
Instead use imaps. 
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Don’t forget to update your xinetd.conf file for the changes to take effect by restarting the 
Xinetd daemon program. 


e To update you xinetd.conf file, use the following command: 
[root@deep /]# /etce/re.d/init.d/xinetd restart 
Stopping xinetd: [OK] 

Starting xinetd: [OK] 








WARNING: All the above Xinetd configurations assume that the default section of your 
xinetd configuration file is configured as follow to enable pop3s, pop3, imaps, and imap 
services: 


defaults 

{ 
instances 60 
log_type SYSLOG authpriv 
log_on_success HOST PID 


log_on_failure HOST RECORD 
only from 
per_source 


enabled 


5 
pop3s pop3 imaps imap 


} 


If you don’t want to enable pop3s, imaps or imap then remove them from the line. The same 
applies for other the IMAP /POP services as shown above. For more information about Xinetd, 
please read the appropriate Xinetd chapter in this book. 





Securing UW IMAP 

This section deals with actions we can make to improve and tighten security under UW IMAP. The 
interesting points here are that we refer to the features available within the base installed program 
and not to any additional software. 


Do you really need UW IMAP server and its services? 

Be aware that IMAP /POP programs use plain text passwords by default. Anyone running a sniffer 
program along your network path can grab the username/password and use them to log in as 
you. It is not because you use an IMAP/POP Mail User Agent reader (MUA) like Net scape on 
your LINUX system that you need to run UW IMAP server locally. Check your configuration, and if 
you use a remote/external IMAP /POP server then uninstall UW IMAP on your system. 
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Plain text password 


Mail Hub Server with UW IMAP 


iO 


lent email program 


Client send plain text password and username 
Oe 





a 
——— > re 
— Server authenticate the client and send mail messages A 


Sniffer program running on the client side 


+ Ifa sniffer program is running along your network path, it will catch your username 
and password and use them to log in as you. Here is where creating a user without 
a shell access will help since crackers will only be able to read users mail and not 
log in to the system with the username and password. 


The right way to create mail users on the Mail Server 

It is not because you have to set up and add a new user to the Mail Server that this user needs to 
have a shell account on the system. Shell accounts are precious and must be given out only and 
only if it is necessary. If you only want to allow mail user to get, read and send mails (usually this 
is what all of us are looking for), then all you have to do is to create a new account for this user 
without shell access. Creating a mail user account without shell access to the system will 
eliminate many risks related to the fact that crackers can use mail user account to access the 
server. 


From here, we can explain one reason for which having a dedicated machine that runs a Mail 
Server is important. If you have a server dedicated for electronic mail, then the only legitimate 
user allowed to have login shell access by default to the system will be the super-user ‘root’. 
Imagine, it this way, you can run for example 1000 mail users and even if one of them are 
compromised, there is no problem since access to the system can be done only by our super- 
user ‘root’. 


Step 1 

The principle of creating a user without a login shell account is the same as for creating an FTP 
user without a shell account. This procedure can be applied for any other services for which you 
want a user without shell access to the system. 


e Use the following command to create users in the /etc/passwad file. This step must be 
done for each additional new mail user you allow to access your Mail server. 


[root@deep /]# useradd -s /bin/false gmourani 2>/dev/null || 
[root@deep /]# passwd gmourani 

Changing password for user gmourani 

New UNIX password: 

Retype new UNIX password: 

passwd: all authentication tokens updated successfully 


The useradd command will add the new mail user named gmourani to the Linux Mail Server. 
The ‘-s’ option specifies the name of the user’s login shell, in our case we choose /bin/false 
and redirect it to /dev/nu11. Finally, the passwd command will set the password for this user 
gmourani. 
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Step 2 
Now, edit the shells file (vi /etc/shells) and add a non-existent shell name like 
“/bin/ false’, which is the one we used in the passwd command above. 


[root@deep /]# vi /etc/shells 
/bin/bash2 

/bin/bash 

/bin/sh 

/bin/ false € This is our added no-existent shell 








NOTE: You only have to make the ‘Step2’ one time. If the shell called “/bin/false” already exist 
inthe /etc/shells file, then you don’t have to add it again. Yes | know, but | prefer to be clear 
here. 





Running UW IMAP with SSL support 

This section applies only if you want to run UW IMAP through SSL connection. If you are an ISP 
with many regular users, this may not be the case for you, but if you are a company that provides 
for your particular limited users a mail service, this can be good for you. We know now that 
IMAP/POP programs use plain text passwords by default. The solution to prevent someone using 
a sniffer program to grab the username/password of your mail users is to use the new SSL 
capability of UW IMAP to encrypt the client sessions. 


We have already configured UW IMAP during compilation to enable its SSL support with the use of 
the special parameter ‘SSLTYPE=unix’, therefore UW IMAP is SSL compatible even if you decide 
to not use its SSL functionality at this time. Now, all we have to do is to set up the certificates. 
Below I'll show you how to set up a self signed certificate to use with UW IMAP, the principle is the 
same as for creating a certificate for a Web Server (refer to OpenSSL chapter if you have problem 
creating the certificates). 


Step 1 

First you have to know the Fully Qualified Domain Name (FQDN) of the Mail Hub Server for 
which you want to request a certificate. When your incoming mail server address is 
boreas.openna.com then the FQDN of your Mail Hub Server is boreas.openna.com. 


Step 2 

Create a self-signed certificate (x509 structure) without a pass-phrase. The req command 
creates a self-signed certificate when the —-x509 switch is used. For certificates signed by 
commercial Certifying Authority (CA) like Thawte refer to the OpenSSL chapter for the required 
procedures to follow. 


e Tocreate a self-signed certificate, use the following command: 
[root@deep ssl]# ed /usr/share/ssl 
[root@deep ssl]# openssl req -new -x509 -nodes -days 365 -out tmp.pem 
Using configuration from /usr/share/ssl/openssl.cnf 
Generating a 1024 bit RSA private key 
0: Sse “Brisa Sri8y w GOA eet ewe ee Bie See, Sy 9 e9 SONS Ee el een eee Byer eis Wel even eneee: i ea a ea 
a ee ae mule bic noc 3 
writing new private key to 'privkey.pem' 





You are about to be asked to enter information that will be incorporated 
into your certificate request. 
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What you are about to enter is what is called a Distinguished Name or a 
DN. 
There are quite a few fields but you can leave some blank 
For some fields there will be a default value, 

If you enter '.', the field will be left blank. 

Country Name (2 letter code) [CA]: 
State or Province Name (full name) [Quebec]: 
Locality Name (eg, city) [Montreal]: 
Organization Name (eg, company) [Open Network Architecture]: 
Organizational Unit Name (eg, section) []: 

Common Name (eg, YOUR name) [boreas.openna.com]: 

Email Address [noc@openna.com]: 























WARNING: Pay special attention to the ‘-nodes’ option we have used, in the above command, to 
create the self-signed certificate. The option ‘-nodes’ creates a certificate without a protected 
pass-phrase, it is very important to create a certificate without a pass-phrase because IMAP /POP 
server cannot ask you to enter a password before starting its daemon. Also, be sure that you’ve 
entered the FQDN (Fully Qualified Domain Name) of the Mail Hub Server when OpenSSL 
prompts you for the “CommonName”. 





Step 3 
Once the self-signed certificate has been created, we must be sure that the future imapd. pem 
file will has both a RSA PRIVATE KEY and a CERTIFICATE section. 


e To include the CERTIFICATE section to RSA PRIVATE KEY, use the command: 
[root@deep ssl]# cat tmp.pem >> privkey.pem 


The above command will include the CERTIFICATE file named ‘tmp .pem’ to the RSA PRIVATE 
KEY named ‘privkey.pem’. 


Step 4 

After, we must place the certificate file to its appropriate directory and rename it imapd.pem for 
IMAP /POP server to recognize it. If you rename the certificate something other than ‘imapd.pem’ 
be aware that the UW IMAP will not recognize it. 


e To place the file into its appropriate directory, use the following command: 
[root@deep ssl]# mv privkey.pem certs/imapd.pem 
[root@deep ssl]# chmod 400 certs/imapd.pem 
[root@deep ssl]# rm -£ tmp.pem 


First we move the privkey file which contain both RSA PRIVATE KEY and CERTIFICATE 
section to the certs directory and rename it imapd.pem for UW IMAP to use it. After that we 
remove the tmp.pem file from our system since it is no longer needed. 








WARNING: Net scape and Out look support only imapd through SSL, and pop3d with SSL work 
only with fet chmail. If you intended to use Net scape Or Outlook to read your mail through 
SSL, then use imapd and not pop3d. Also don’t forget to configure imaps into the 
xinetd.conf configuration file to enable imapd with SSL support on your system. 
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Now, it is important to verify if the new imapd.penm certificate file works before connecting with 
client MUA program like Net scape to read mail through SSL. Please make sure that the Xinetd 
daemon with the imaps value enabled is already running before proceding with the test. 


[root@deep ssl]# openssl 
OpenSSL> s_client —-host boreas.openna.com -port 993 














To test your new IMAP certificate, use the following command: 






























































































































































































































































CONNECTED (00000003) 

depth=0 /C=CA/ST=Quebec/L=Montreal/O=Open Network 
Architecture/CN=boreas.openna.com/Email=noc@openna.com 
verify error:num=18:self signed certificate 

verify return:1 

depth=0 /C=CA/ST=Quebec/L=Montreal/O=Open Network 
Architecture/CN=boreas.openna.com/Email=noc@openna.com 
verify return:1 

Certificate chain 

0 s:/C=CA/ST=Quebec/L=Montreal/O=Open Network 

Architecture/CN=boreas.openna.com/Email=noc@openna.com 
i:/C=CA/ST=Quebec/L=Montreal/O=Open Network 

Architecture/CN=boreas.openna.com/Email=noc@openna.com 

Server certificate 

S=SS5, BEGIN CERTIFICATE----- 

TID1LTCCAv6gAwI BAgIBADANBgkghkiG9w0BAQOFADCB1DELMAkGA1UEBhMCOQOEx 
DZANBgNVBAgTBIF1ZWJ1LYZERMA8GA1UEBXMITW9udHJ1YWwxI jJAGBgNVBAoTGU9W 
ZW4gTmV0d2 9yayBBcmNoaXR1LY3R1cmUxH JACBGNVBAMTFXVsSbH1zZS5tdHRjb25z 
ZW1sLmNvbTEdMBsGCSqGS Ib3DQEJARYObm9 JOG 9wZW5uYS5 jb2 OWHHCNMDAXMjJE2 

DQINJI2WhcNMDIwWNzE3MTULOTUOWjJCBIDELMAKGA1LUEBhMCQOEXDZANBgNVBAgT 
BIF1ZWJLYZERMA8GA1UEBXMITW9udHJ1YWwxI JAGBgNVBAoTGU9WZW4gTmv0d2 9y 
ayBBcmNoaXR1Y3R1cmUxH JAcBgNVBAMTFXVSbH1zZS5tdHRjb25zZW1sLmNvbTEd 

BsGCSqGS Ib3DQEJARYObm9 JOG 9wZW5uYS5 jb20wgZ8wDOY JKoZ IhvcNAQEBBOAD 
gY OAMIGJAOGBAM7HC7h/Vxi30x5nECmd30dhJwGZFdq4tOvbMkknn3F 7HASEpcpJ 
Oddt ZtHNAN3rDnilvYLzuWc0flmG/ry3G5grshsd8JFHp024kRjsdOZSWJOACTTUE 
hD/ jFOWg8L5nR1OuD1LRiU9eGqMma7VG80OKGVq/ 4y 5bKUf LYEGHbCTEnAgMBAAG j 
gfQwg fEwHOYDVROOBBYEFLSZEXinVoRgQ jKe8pZt 6NWWTOF PMIHBBgNVHSMEgbkw 
gbaAFLSZEXinVoRgQjKe8pZt 6NWWTOFPoYGapIGXMIGUMOswCOQYDVOQOQGEWJDOTEP 
IAOGA1UECBMGUXV1YmV JMREwDwYDVQQHEWhNb2 50cmVhbDEiMCAGA1UECHMZT3B1 
biBOZXR3b3Ur1EFyY2hpdGV jdHVyZTEeMBwGA1UEAxMVdWxseXN1lLm10dGNvbnN1 
aWwuY 2 9tMROwGwY JKoZThvcNAQOkKBFg5ub2NAb3Blbm5hLmNvbY IBADAMBgNVHRME 
BTADAQH/MAO0GCSqGS Ib3DQEBBAUAA4GBAAJC7BzgXPJ2PezOH1R819a/xdW3 6mpp 
6YBO8P 6pla3005NAauf 9KW+1LbUdTUAM6c6lUy j2g80L4v9ukx27Z9r2nE4Y4Jubs 
HO1VuZ9zpqbHINcMRlugCUWSgqKdTcYoONL+EXnPefs6+JjCmEiaTMEmn2Ggm7yE3 
ef+0J33LXhrzr 
a= END CERTIFLCATE<==<= 
sub ject=/C=CA/ST=Quebec/L=Montreal/O=Open Network 
Architecture/CN=boreas.openna.com/Email=noc@openna.com 


issuer=/C=CA/ST=Quebec/L=Montreal/O=Open Network 


Archit 


No 


New 











Cc 





clien 


TLSv1/S 


, 


SLv3, 


certificate CA names sen 


Cipher 


ture/CN=boreas.openna.com/Email=noc@openna.com 





handshake has read 1075 bytes and written 314 bytes 


is DES-CBC3-SHA 





Server public key is 1024 bit 





SSI] 


L-Session: 
Protocol 
Cipher 


ay 
D 


L 





Sv1 


ES-CBC3-SHA 
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Session-ID: 
FB1IC9CCF4F540CECEF138625549C0391CAC1BBC84A5FDBC37F 6AFC4616D785EA 

Session-ID-ctx: 

Master-Key: 
AC9E7TF536E5E5C7F3CDE76C9590F 958 94E5BAE 3A0EF2A466867D5A7BD57B44327CAE455D4 
EBAFFFE1LOA6C3B2451A7866 




































































Key-Arg : None 
Start Time: 976954222 
Timeout : 300 (sec) 


Verify return code: 0 (ok) 
* OK [CAPABILITY IMAP4 IMAP4REV1 STARTTLS LOGIN-REFERRALS AUTH=PLAIN 
AUTH=LOGIN] ullyse.mttconseil.com IMAP4revl 2000.284 at Sat, 16 Dec 2000 
03:10:22 -0500 (EST) 








If the results look like the one above, then communications from the Mail Hub Server to the client 
machine are encrypted for imapd with the SSL protocol. Congratulations! 


Step 6 

Recall that by default all connections from a external client to the imap secure server are allowed 
via port 143 (the default imap port) only, therefore it is important to allow traffic through the imap 
port 993 into our firewall script file for the Internet Message Access Protocol to accept external 
connections. 


e Edit the iptables script file (vi /etc/rc.d/init.d/iptables), and add/check the 
following lines to allow imaps packets to traverse the network: 





# IMAP server over SSL (993) 
# 
iptables -A INPUT -i SEXTERNAL_INTERFACE -p tcp \ 
—-source-port SUNPRIVPORTS \ 
-d SIPADDR --destination-port 993 -—j ACCEPT 















































iptables -A OUTPUT -o S$EXTERNAL_INTERFACE -p tcp ! --syn \ 
-s SIPADDR --source-port 993 \ 
--destination-port SUNPRIVPORTS -j ACCEPT 





























Where EXTERNAL_INTERFACE="eth0" # Internet connected interface 
Where IPADDR="207.35.78.4" # Your IP address for ethO 
Where UNPRIVPORTS="1024:" # Unprivileged port range 
Step 7 


Finally, if you have installed PortSentry on your server, it is important to add the imaps port 
993 to the list of allowed ports into the PortSentry configuration file called 
“portsentry.con£” or any future connections to this port will be blocked by the program. 


e Edit the portsentry.conf file (vi /etc/portsentry/portsentry.conf), and 
add the port number 993 to instruct Port Sentry to ignore this port: 


# Use these if you just want to be aware: 
TCP_PORTS="1,11,15,79,111,119,143, 993,540, 635, 1080,1524, 2000, 5742, 6667,12345,12 
346, 20034, 31337, 32771, 32772, 32773, 32774, 40421, 49724, 54320" 
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Further documentation 
For more details, there are some UW IMAP manual pages that you can read: 


$ man imapd (8C) - Internet Message Access Protocol server 
$ man ipopd (8C) - Post Office Protocol server 


List of installed UW IMAP files on your system 


> /etc/pam.d/imap 

> /etc/pam.d/pop 

> /usr/include/imap 

> /usr/include/imap/c-client.h 
> /ust/include/imap/dummy.h 
> /ust/include/imap/env.h 

> /usr/include/imap/env_unix.h 
> /usr/include/imap/fdstring.h 
> /usr/include/imap/flstring.h 
> /usr/include/imap/fs.h 

> /usr/include/imap/ftl.h 

> /ust/include/imap/imap4r1 .h 
> /ust/include/imap/linkage.h 
> /usr/include/imap/lockfix.h 
> /usr/include/imap/mail.h 

> /usr/include/imap/mbox.h 

> /ust/include/imap/mbx.h 

> /ust/include/imap/mh.h 

> /ust/include/imap/misc.h 

> /usr/include/imap/mmdf.h 
> /usr/include/imap/mtx.h 

> /usr/include/imap/mx.h 

> /usr/include/imap/netmsg.h 
> /usr/include/imap/news.h 

> /ust/include/imap/newsrc.h 
> /ust/include/imap/nl.h 

> /ust/include/imap/nntp.h 

> /usr/include/imap/os_a32.h 
> /ust/include/imap/os_a41.h 
> /ust/include/imap/os_aix.h 
> /usr/include/imap/os_aos.h 
> /usr/include/imap/os_art.h 
> /ust/include/imap/os_asv.h 
> /usr/include/imap/os_aux.h 
> /usr/include/imap/os_bsd.h 
> /ust/include/imap/os_bsi.h 
> /usr/include/imap/os_cvx.h 
> /usr/include/imap/osdep.h 
> /ust/include/imap/os_d-g.h 
> /usr/include/imap/os_do4.h 
> /usr/include/imap/os_drs.h 
> /ust/include/imap/os_dyn.h 
> /ust/include/imap/os_hpp.h 


> /usr/include/imap/os_isc.h 
> /usr/include/imap/os_|nx.h 
> /usr/include/imap/os_lyn.h 
> /usr/include/imap/os_mct.h 
> /usr/include/imap/os_mnt.h 
> /usr/include/imap/os_nxt.h 
> /usr/include/imap/os_os4.h 
> /usr/include/imap/os_osf.h 
> /usr/include/imap/os_osx.h 
> /usr/include/imap/os_ptx.h 
> /usr/include/imap/os_pyr.h 
> /usr/include/imap/os_qnx.h 
> /usr/include/imap/os_s40.h 
> /usr/include/imap/os_sc5.h 
> /usr/include/imap/os_sco.h 
> /usr/include/imap/os_sgi.h 
> /usr/include/imap/os_shp.h 
> /usr/include/imap/os_slx.h 
> /usr/include/imap/os_sol.h 
> /usr/include/imap/os_sos.h 
> /usr/include/imap/os_sun.h 
> /usr/include/imap/os_sv2.h 
> /usr/include/imap/os_sv4.h 
> /usr/include/imap/os_ult.h 
> /usr/include/imap/os_vu2.h 
> /usr/include/imap/phile.h 

> /usr/include/imap/pop3.h 

> /usr/include/imap/pseudo.h 
> /usr/include/imap/rfc822.h 
> /usr/include/imap/smtp.h 

> /usr/include/imap/tcp.h 

> /usr/include/imap/tcp_unix.h 
> /usr/include/imap/tenex.h 

> /usr/include/imap/unix.h 

> /usr/include/imap/utf8.h 

> /usr/include/imap/shortsym.h 
> /usr/lib/c-client.a 

> /usr/lib/libc-client.a 

> /usr/sbin/ipop3d 

> /usr/sbin/imapd 

> /usr/share/man/man8/ipopd.8c 
> /usr/share/man/man8/imapd.8c 
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I’ve put a break here to summarize what we have been doing since the beginning of the book, 
and hope that you have found it interesting. 


1) First, we have installed Linux by removing all unneeded programs to have a clean and 
secure server. Recall that the beginning of a secure server is one where all unneeded 
services and programs are uninstalled. 


2) After that, we have tightened the security of our configured system by using the default 
tools of Linux without the need of external programs. 


3) We have optimized our system to perform at its peak by using specific compiler flags and 
by replacing the default Linux libraries files by ones, which has been optimized for our 
processor. 


4) We have recompiled the Linux kernel to best fit our system and to get the most in kernel 
security and optimization. 


5) We have tuned and secured our TCP/IP networking. 


6) We have installed a firewall, which respond closely to our networking architecture and 
services we want to enable in a manner to build a fortress around our server. 


7) We have installed the entire minimum recommended security tools on the server to keep 
communications the as secure as possible and to prevent possible attacks, holes, etc 
that will certainly come to our network. 


8) We have installed ISC BIND & DNS related to the configuration we want for the server. 
Recall that TSC BIND & DNS is very important and must be installed in every kind of 
server, since many services described in this book rely on it to work properly. 


9) Finally, we have installed a mail server related to the configuration and the tasks of the 
server we want to install. Once again, don’t forget that on all kinds of machines that run a 
Unix operating system it’s necessary and NOT optional to have a mail server. 


From now, every chapter described later in this book are optional and depend on what you want 
to do on your server. (E.g., What kind of tasks will your server perform, and for which part of your 
network Intranet/Internet?) For all kinds of servers and whatever you decide to install, a Web, 
FTP, SQL, Backup, File Sharing Servers, etc, it is absolutely vital to apply all of the information 
and tutorials shown here, on all of your Linux machines. 


Everything that you have read in this book up to here are the minimum amount of actions to make 
in all your Linux systems you hope to put online, if you want a secure, optimized and functional 
Linux server. After that, any specific service you install will make this machine become a Web 
Server, Mail, etc depending of the kind of service installed. 


Finally, don’t forget that security and optimization doesn’t stop here because even if you have 
secured your system to the best, any additional services you may install and enable will bring a 
new security risk and it is for this reason that they must be configured and installed in the most 
secure manner available. This is why all chapters related to a specific service are explained from 
Part X through the end of this book. 
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Part X Database Server Related Reference 
In this Part 


Database Server - MySQL 
Database Server - PostgreSQL 
Database Server - OpenLDAP 


Once you decide to go into serious business, you'll inevitably find that you need a database to 
store/retrieve information. One of the primary reasons for the invention of computer is to store, 
retrieve and process information and do all this very quickly. The most popular database systems 
are based on the International Standard Organization (ISO) SQL specifications which are also 
based on ANSI SQL (American) standards. 


This part of the book will deal with software other than the one's which the Linux distribution, may 
or may not provide as a part of its core distribution. In some cases it may be provided as an extra 
but may also come as a pre-compiled binary, which may not exactly suit your purpose. Hence we 
have, in most cases, used source packages, usually packed as tar gzipped -* .tar.gz. This 
gives us the maximum amount of choice to tweak, secure, optimize and delete the options within 
this software. 
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23 Database Server - MySQL 
In this Chapter 


Recommended RPM packages to be installed for a SQL Server 
Compiling - Optimizing & Installing MySoL 

Configuring MysoL 

Securing MySoL 

Optimizing MysoL 

MySQL Administrative Tools 
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Linux MySQL Database Server 


Abstract 

Once you begin to serve, and supply services to your customers, you'll inevitably find that you 
need to keep information about them in an archive which has to be accessible and modifiable at 
any time you want it. These tasks can be accomplished with the use of a database. There are 
many databases are available on Linux; choosing one can be complicated, as it must be able to 
support a number of programming languages, standards and features. PostgreSQLisa 
sophisticated Object-Relational DBMS and supports almost all SOL constructs, which may respond 
to complicated and complex database needs. 


In real use, and especially for Web server connectivity with SoL databases, the need for this kind 
of complex arrangement is not always true and may penalize performance. For this reason some 
companies decide to create an SQL server which responds to these requirements. MySQL is a 
small SOL database built with the most essential SQL constructs only and increases performance 
by eliminating functions. 


As explained in the MySQL web site: 

MySQL is a true multi-user, multi-threaded SOL database server. SOL (Structured Query 
Language) is the most popular and standardized database language in the world. MySQL is a 
client/server implementation that consists of a server daemon “mysqld” and many different client 
programs and libraries. The main goals of MySQL are speed, robustness and ease of use. MySOL 
was originally developed for the need of SQL server that could handle very large databases an 
order of magnitude faster than what any database vendor could offer on inexpensive hardware. 


Many of us use MySQL as a database for an application server and presume that it is the fastest 
SQL server available today. | don’t think the quite same, MySQL is very fast, but with the fast 
development of open source, situations change quickly and this might be taken on with the new 
release of PostgreSQL. 





Read/Update Concurrency Test 
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Bug Browser Test 





—e MySQL 
—s— PastgreS@QL 


Pages/Second 





Concurrent Users 


Bug Browser Test 





—e MySQL 
—s— PastgreS@QL 


Pages’/Second 





Concurrent Users 





Open Source Databases: As The Tables Turn. The graphs comes from the www.phpbuilder.com 
website from an article of Tim Perdue. http:/Awww.phpbuilder.com/columns/tim20001112.php3 


Yes, contrary about what we may think, PostgreSQL is faster than MySQL in many areas. But to 
be honest MySQL is easier to use and link with external applications than PostgreSQL. Also it is 
widely used by many third party programs and from the point of view of compatibility and 


integration, this is very important. Any way, it is yours to decide which one of these two beautiful 
databases best suit your needs. 


Since many readers asked that MySQL was documented in the next release of the book, here we 
go. 
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Recommended RPM packages to be installed for a SQL Server 

A minimum configuration provides the basic set of packages required by the Linux operating 
system. A minimum configuration is a perfect starting point for building a secure operating 
system. Below is the list of all recommended RPM packages required to run your Linux server as 
a database Server (SQL) running MySQL software properly. 


This configuration assumes that your kernel is a monolithic kernel. Also | suppose that you will 
install MySQL by using it’s RPM package. Therefore, the mysql and mysql-server RPM 
packages are already included in the list below. Not all security tools are installed, it is up to you 
to install them as you need by RPM packages since compiler packages are not installed and 
included in the list. 


basesystem 


openssl 
sysklogd 


bash 

file 
libstdc++ 
pam 
syslinux 


bdflush 
filesystem 
libtermcap 
passwd 
SysVinit 


bind 
fileutils 
lilo 
perl 

tar 


bzip2 
findutils 
logrotate 
popt 
termcap 


chkconfig 
gawk 
losetup 
procps 
textutils 
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console-tools 
gdbm 

MAKEDEV 
psmisc 
tmpwatch 


cpio 
gettext 
man 

pwdb 
utempter 


cracklib 
glib 
mingetty 
qmail 
util-linux 


cracklib-dicts 
glibe 

mktemp 
readline 
vim-common 


crontabs 
glibc-common 
mount 
rootfiles 
vim-minimal 


db1 

grep 
mysql 

rpm 
vixie-cron 


db2 

grofft 
mysql-server 
sed 

words 


db3 
gzip 
ncurses 
setup 
which 


dev 

info 
net-tools 
sh-utils 
zlib 


devfsd 
initscripts 
newt 
shadow-utils 


diffutils 
iptables 
openssh 
slang 


e2fsprogs 
kernel 
openssh-server 
slocate 
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Tested and fully functional on OpenNA.com. 
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SQL Server 










Outside client ask the Remote Client irewal 

remote SQL Server for et i . 
search results through 
the Web Server 






Router 
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Local Client SQL Server for medical 
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a 


This schema shows you some possible uses of SOL Servers. 
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These installation instructions assume 

Commands are Unix-compatible. 

The source path is /var/tmp (note that other paths are possible, as personal discretion). 
Installations were tested on Red Hat 7.1. 

All steps in the installation will happen using the super-user account “root”. 

Whether kernel recompilation may be required: No 

Latest MySQL version number is 3.23.38 


Packages 
The following are based on information as listed by MySQL as of 2001/06/02. Please regularly 
check at www.mysql.com/ for the latest status. 


Source code is available from: 


MySQL Homepage: http://www.mysql.com/ 
MySQL FTP Site: 64.28.67.70 


You must be sure to download: mysql-3.23.38.tar.gz 





Pristine source 

If you don’t use the RPM package to install this program, it will be difficult for you to locate all 
installed files into the system in the eventuality of an updated in the future. To solve the problem, 
it is a good idea to make a list of files on the system before you install MySQL, and one 
afterwards, and then compare them using the diff utility of Linux to find out what files are 
placed where. 


e Simply run the following command before installing the software: 
root@deep /root find /* > MySQL1 


e And the following one after you install the software: 
root@deep /root find /* > MySQL2 


e Then use the following command to get a list of what changed: 
root@deep /root diff MySQL1 MySQL2 > MySQL-Installed 

















With this procedure, if any upgrade appears, all you have to do is to read the generated list of 
what files were added or changed by the program and remove them manually from your system 
before installing the new software. Related to our example above, we use the /root directory of 
the system to stock all generated list files. 


Compiling - Optimizing & Installing MySQL 
Below are the required steps that you must make to compile and optimize the MySoL database 


software before installing it into your Linux system. First off, we install the program as user 'root' 
so as to avoid authorization problems. 


Step 1 
Once you get the program from the main software site you must copy it to the /var/tmp 
directory and change to this location before expanding the archive. 


e These procedures can be accomplished with the following commands: 
[root@deep /]# cp mysql-version.tar.gz /var/tmp/ 
[root@deep /]# cd /var/tmp/ 

[root@deep tmp]# tar xzpf mysql-version.tar.gz 
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Step 2 
After that, move into the newly created MySQL source directory and perform the following step 
before compiling it for your specific system. 


e To move into the newly created MySQL source directory use the following command: 
[root@deep tmp]# ed mysql-3.23.38/ 


Step 3 
We must create a new user account called “mysql” into the /etc/passwd file to be the owner of 
the MySQL database files and daemon. 


e Tocreate this special MySQL user account, use the following command: 
[root@deep mysql-3.23.38]# useradd -M -o -r -d /var/lib/mysql -s 
/bin/bash -c "MySQL Server" -u 27 mysql >/dev/null 2>&1 || 


Step 4 
At this stage, it is time to configure and optimize MySQL for our system. 


e Toconfigure and optimize MySQL use the following compilation lines: 
CFLAGS="—-static -march=i686 -mcpu=i686 -funroll-loops -fomit-frame-pointer" \ 
CXXFLAGS="-static -march=i686 -mcpu=i686 -funroll-loops -fomit-frame-pointer - 
felide-constructors -fno-exceptions -fno-rtti" \ 

./configure \ 

--prefix=/usr \ 
--libexecdir=/usr/sbin \ 
--sysconfdir=/etc \ 
--localstatedir=/var/lib/mysql \ 
--mandir=/usr/share/man \ 
--disable-shared \ 
--with-mysqld-user=mysql \ 
--with-unix-socket-—path=/var/lib/mysql/mysql.sock \ 
--with-client-—ldflags=—all-static \ 
--with-mysqld-ldflags=—all-static \ 
--without-debug \ 

--without-—docs \ 

--without-—bench 


This tells MySQL to set itself up for this particular configuration setup with: 


- Disable shared libraries to compile statically linked programs (13% faster on Linux). 

- Define the user mysqid daemon shall be run as (never run the MySQL daemon as ‘root’ user). 
- Using Unix sockets rather than TCP/IP to connect to a database gives better performance. 

- Disable shared libraries to avoid error messages when using “CXX=gcc” during compile time. 
- Build a production version without debugging code will run MySQL 20% faster for most queries. 
- Skip building of the MySoL help documentations to save space on the server. 

- Skip building of the benchmark tools to save space on the server. 
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NOTE: Using CXX=gcc during compile time when configuring MySQL will avoid inclusion of the 
libstdc++ library which it is not needed. It will also improve the performance of the database. 
Also, note the above optimization FLAGS; the optimization level “-03” is not specified here since 
MySQL will automatically adjust and add the required optimization level depending of which parts 
of its program it will compile. We have decided to compile this software statically due to the 
benchmarks, it will run 13% faster on Linux when linked statically. 





Step 5 

Now, we must make a list of files on the system before installing the software, and one 
afterwards, then compare them using the diff utility to find out what files are placed where and 
finally install MySQL. 


root@deep mysql-3.23.38 make 

root@deep mysql-3.23.38 cd 

root@deep /root]# find /* > MySQL1 

root@deep /root]# cd /var/tmp/mysql-3.23.38/ 

root@deep mysql-3.23.38 make install 

root@deep mysql-3.23.38 install -m 644 include/my_config.h 
/usr/include/mysql/ 
root@deep mysql-3.23.38 mkdir -p /var/run/mysqld 

root@deep mysql-3.23.38 chmod 0755 /var/run/mysqld 

root@deep mysql-3.23.38 chown mysql.mysql /var/run/mysqld 
root@deep mysql-3.23.38 rm -£ /usr/share/mysql/mysql-*.spec 
root@deep mysql-3.23.38 rm -£ /usr/share/mysql/mysql-—log-rotate 
root@deep mysql-3.23.38 strip /usr/sbin/mysqld 

root@deep mysql-3.23.38 cd 

root@deep /root]# find /* > MySQL2 

root@deep /root]# diff MySQL1 MySQL2 > MySQL-Installed 

















The make command compile all source files into executable binaries, and then make install 
will install the binaries and any supporting files into the appropriate locations. The mkdir —p will 
create a new directory for MySQL pid file under the appropriate location as well as setting its 
mode permissions and ownership. The strip command will reduce the size of our mysqld 
daemon binary by 50%. 


Step 6 
At this stage, all the files and binaries related to MySQL database have been installed onto your 
computer. It is time to verify if the mysqld daemon is linked statically as we want it to be. 


e =6To verify if the mysqld daemon is linked statically, use the following command: 
[root@deep /]# 1ldd /usr/sbin/mysqld 
not a dynamic executable 


If the returned result of the command is the same as the one shown above (not a dynamic 
executable), then congratulations! Every library required by the daemon to successfully run on 
your server has been compiled directly into the mysqld binary. 
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Step 7 

Once the configuration, optimization, compilation, and installation of the database software have 
been accomplished, we can free up some disk space by deleting the program tar archive and the 
related source directory since they are no longer needed. 


e Todelete MySQL and its related source directory, use the following commands: 
[root@deep /]# cd /var/tmp/ 
[root@deep tmp]# rm -rf mysql-version/ 
[root@deep tmp]# rm -f mysql-version.tar.gz 


The rm command as used above will remove all the source files we have used to compile and 
install MySQL. It will also remove the MySQL compressed archive from the /var/tmp directory. 


Configuring MySQL 
After MySQL has been built and installed successfully in your system, your next step is to 
configure and customize its different configuration files. MySQL has just three configuration files: 


¥  /etc/my.cnf (The MySQL Configuration File) 
¥ /etc/logrotate.d/mysqld (The MySQL Log rotation File) 
¥  /etc/re.d/init.d/mysqld (The MySQt Initialization File) 








/etc/my.cnf£: The MySQL Configuration File 

The /etc/my.cnf file is used to specify MySQL system configuration information, such as the 
directory where databases are stored, where mysqld socket live and the user under which the 
mysqld daemon will run, etc. This file is checked to get the required information each time the 
database starts its daemon. It is also used to specify optimization parameters for the database, 
but for the moment you can add the lines shown below, and see later into this chapter under 
(Optimizing MySQL) for more information about other possible parameters and especially the 
ones related to optimization that we could add to this file (my. cnf). 


e Create the my.cnf file (touch /etc/my.cnf) and add the following lines: 


[mysqld] 
datadir=/var/lib/mysql 
socket=/var/lib/mysql/mysql.sock 


[mysql.server 
user=mysql 
basedir=/var/lib 


[safe_mysqld] 
err-log=/var/log/mysqld.log 
pid-file=/var/run/mysqld/mysqld.pid 
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/etc/logrotate.d/mysqld: The MySQL Log rotation File 

The /etc/logrotate.d/mysqld file allows the MySQL database server to automatically rotate 
its log files at the specified time. Here we'll configure the /etc/logrotate.d/mysqld file to 
rotate each week its log files automatically. 


e Create the mysqld file (touch /etc/logrotate.d/mysgqld) and add the lines: 


/var/log/mysqld.log { 
missingok 
create 0640 mysql mysql 
prerotate 
[ -e /var/lock/subsys/mysqld ] && /usr/bin/mysqladmin flush-logs 
|| /bin/true 
endscript 
post rotate 
[ -e /var/lock/subsys/mysqld ] && /usr/bin/mysqladmin flush-logs 
|| /bin/true 
endscript 


} 


/etc/re.d/init.d/mysqld: The MySQL Initialization File 

The /etc/rce.d/init.d/mysqld script file is responsible for automatically starting and 
stopping the mysqid daemon on your server. Loading the mysqld daemon, as a standalone 
daemon, will eliminate load time and will even reduce swapping since non-library code will be 


shared. The text in bold are the parts of the script initialization file that must be customized and 
adjusted to satisfy our needs. 


Step 1 
Create the mysqld script file (touch /etc/rce.d/init.d/mysqld) and add the following 
lines: 


!/bin/bash 

mysqld This shell script takes care of starting and stopping 
the MySQL subsystem (mysqld). 

chkconfig: - 78 12 


description: MySQL database server. 
processname: mysqld 
config: /etc/my.cnf 
pidfile: /var/run/mysqld/mysqld.pid 


Source function library. 
/etc/re.d/init.d/functions 


Source networking configuration. 
/etc/sysconfig/network 


Source subsystem configuration. 
-f /etc/sysconfig/subsys/mysqld ] && . /etc/sysconfig/subsys/mysqld 








start (){ 
touch /var/log/mysqld.log 
chown mysql.mysql /var/log/mysqld.log 
chmod 0640 /var/log/mysqld.log 
if [ ! -d /var/lib/mysgl/mysql ] ; then 
action "Initializing MySQL database" /usr/bin/mysql_install_db 
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stop () { 


} 


ret=$? 


chown -R mysql.mysql /var/lib/mysql 


if [ Sret -ne 0 ] 
return Sret 
fi 
fai 
/usr/bin/safe_mysqld 
ret=$? 


; then 
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defaults-file=/etc/my.cnf >/dev/null 2>&1 & 


if [ Sret -eq 0 ]; then 


action "Starting 
else 

action "Starting 
fi 


MySQL: " /bin/true 





MySQL: " /bin/false 


[ $ret -eq 0 ] && touch /var/lock/subsys/mysqld 


return $ret 


/usr/bin/mysqladmin -pmypasswd shutdown > /dev/null 2>é61 


ret=$? 


if [ Sret -eq 0 ]; then 


action "Stopping 
else 

action "Stopping 
fi 
[ $ret -eq 0 ] && rm 
[ $ret -eq 0 ] && rm 
return Sret 


restart () { 


stop 


SLaAEG 


} 


condrestart () { 
[ -e /var/lock/subsys/mysqld ] && restart || 


} 


reload() { 
[ -e /var/lock/subsys/mysqld ] && mysqladmin -pmypasswd reload 


} 


# S 


how we were called. 





case 


start) 


"si" in 


start 


’ 


stop) 
stop 


, 


, 


’ 


status) 
status mysqld 


’ 


, 


reload) 
reload 


, 


’ 


restart) 
restart 


, 


’ 


condrestart) 
condrestart 


1 


, 


MySQL: " /bin/true 





MySQL: " /bin/false 


-f /var/lock/subsys/mysqld 
-f /var/lib/mysgql/mysql.sock 
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*) 
echo S"Usage: $0 {start|stop|status|reload|condrestart|restart}" 
exit 1 
esac 


exit $? 








WARNING: Pay special attention to the “-pmypasswd” in bold into this script file. The “mypasswd” 
represents your MySQL root user password, and must be set with your real MySQL root user 
password or the SOL server will ask you for the root user password each time you reboot it or 
reboot your system. Be aware that MySQL root user has nothing in common with the Unix root 
user, only the name are the same and NOTHING else. 





Step 2 

Once the mysqid script file has been created, it is important to make it executable, change its 
default permissions, create the necessary links and start it. Making this file executable will allow 
the system to run it, changing its default permission is to allow only the root user to change this 
file for security reasons, and creation of the symbolic links will let the process control initialization 
of Linux, which is in charge of starting all the normal and authorized processes that need to run at 
boot time on your system, to start the program automatically for you at each boot. 


e To make this script executable and to change its default permissions, use the commands: 
root@deep / chmod 700 /etc/re.d/init .d/mysqld 
root@deep / chown 0.0 /etc/re.d/init.d/mysqld 


e Tocreate the symbolic rc.d links for mysqld, use the following commands: 
root@deep / chkconfig --add mysqld 
root@deep / chkconfig --level 345 mysqld on 


e To start MySQL software manually, use the following commana: 
root@deep / /etc/re.d/init.d/mysqld start 
Starting MySQL: [OK] 














Step 3 

Once the SQL server has been started, it’s time to assign a password to the super-user of this 
database. With MySQL server, this user is named, by default ‘root’, but be aware that MySQL 
‘root’ user has nothing in common with the Unix ‘root’ user, only the name are the same and 
NOTHING else. 


For security reasons, it’s important to assign a password to the MySQL root user, since by default 
after the installation of the SOL server, the initial root password is empty and allows anyone to 
connect with this name and do anything to the database. 


e To specify a password for the MySQL root user, perform the following actions: 
[root@deep /]# mysql -u root mysql 
Reading table information for completion of table and column names 
You can turn off this feature to get a quicker startup with -A 


Welcome to the MySQL monitor. Commands end with ; or \g. 
Your MySQL connection id is 1 to server version: 3.23.33 


Type 'help;' or '\h' for help. Type '\c' to clear the buffer 
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mysql> SET PASSWORD FOR root=PASSWORD ('mypasswd') ; 
Query OK, 0O rows affected (0.00 sec) 


mysql> \q 
Bye 


The value 'mypasswd' as shown above is where you put the password you want to assign to the 
MySQL root user (this is the only value you must change in the above commana). Once the root 
password has been set you must, in the future, supply this password to be able to connect as 
root in the SQL database. 








NOTE: All software we describe in this book has a specific directory and subdirectory in the tar 
compressed archive named floppy-2.0.tgz containing configuration files for the specific 
program. If you get this archive file, you wouldn’t be obliged to reproduce the different 
configuration files manually or cut and paste them to create or change your configuration files. 
Whether you decide to copy manually or get the files made for your convenience from the archive 
compressed files, it will be to your responsibility to modify them to adjust for your needs, and 
place the files related to this software to the appropriate places on your server. The server 
configuration file archive to download is located at the following Internet address: 
ftp://ftp.openna.com/ConfigFiles-v2.0/floppy-2.0.tgz. 





Securing MySQL 

This section deals especially with actions we can make to improve and tighten security under the 
MySQL database. The interesting points here are that we refer to the features available within the 
base installed program and not to any additional software. 


Protect the MySQL communication socket 

The unix-domain socket “mysql . sock” which is used to connect to the MySQL database have by 
default the following permissions (0777/srwxrwxrwx), this means that anyone can delete this 
socket and if this happens, then no one will be able to connect to your database. 


To avoid deletion of the MySQL communication socket under /var/lib/mysql/mysql.sock, 
you can protect its /var/1lib/mysq]l directory by setting the sticky bit on it. 


e To protect and set the sticky bit on directory where “mysql. sock” file reside, use the 


following command: 
[root@deep /]# chmod +t /var/1lib/mysql 


This command will protect your /var/1lib/mysql directory so that files can be deleted only by 
their owners or the super-user (root). 


e To check if the sticky bit is set on this directory, use the following command: 
[root@deep /]# 1s -ld /var/1lib/mysql 
drwx----— T 4 mysql mysql 1024 Mar 4 12:24 /var/lib/mysql 


If the last permission bit is T, then the bit is set. Congratulations! 
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Delete the anonymous database 

When you install MySQL server, the program creates two databases by default. The first database 
is named “mysql” and it’s used to hold all settings of the MySQL server, users, passwords, 
privileges etc. The second database named “test” is used to make some tests to your SOL 
database. Any local user can connect, without a password, to this database and do anything. 


This database is not needed by the MySQL server to work and can be removed safety. 


e To remove the “test” database from your SQL server, use the following command: 
[root@deep /]$ mysqladmin drop test -p 

Enter password: 

Dropping the database is potentially a very bad thing to do. 

Any data stored in the database will be destroyed. 


Do you really want to drop the 'test' database [y/N] 


y 
Database "test" dropped 





[root@deep /]# mysql -u root mysql -p 

Enter password: 

Reading table information for completion of table and column names 
You can turn off this feature to get a quicker startup with -A 





Welcome to the MySQL monitor. Commands end with ; or \g. 
Your MySQL connection id is 4 to server version: 3.23.33 


Type 'help;' or '\h' for help. Type '\c' to clear the buffer 


mysql> DELETE FROM db WHERE Db = "test"; 
Query OK, 1 row affected (0.00 sec) 


mysql> DELETE FROM db WHERE Db = "test\_%"; 
Query OK, 1 row affected (0.00 sec) 


mysql> \q 
Bye 


Optimizing MySQL 
This section deals specifically with actions we can make to improve and tighten performance of 
MySQL database. Note that we refer to the features available within the base installed program. 


Get some fast SCSI hard disk 

One of the most important parts of optimizing MySQL server as well as for the majority of all SOL 
databases, is the speed of your hard disk, the faster it is, and the faster your databases will run. 
Consider using a SCSI disk with low seek times, like 4.2ms, can make all the difference, much 
better performance can also be had with RAID technology. 


Skip the updating of the last access time 

As you should know by now, the noatime attribute of Linux eliminates the need by the system to 
make writes to the file system for files. Mounting the file system where your MySQL databases live 
with the noat ime attribute will avoid some disk seeks and will improve the performance of you 
SQL server. 
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If you want to mount the file system of the MySQL database with the noatime attribute, it’s 
important to create and install the MySQL databases in this partition. In our example, we have 
create this partition early in the chapter 2 of this book named “Linux Installation” and this partition 
is located on /var/lib. 


Step 1 

To mount the file system of MySQL databases with the noatime option, you must edit the fstab 
file (vi /etc/fstab) and add into the line that refer to /var/1ib file system the noatime 
option after the defaults option as show below: 


e Edit the fstab file (vi /etc/fstab), and change the line: 





LABEL=/var/lib /var/lib ext2 defaults 12 
To read: 
LABEL=/var/1lib /var/1lib ext2 defaults, noatime 12 








NOTE: The line related to /var/1lib into your /etc/ fstab file could be different from the one 
above, as this is just an example. 





Step 2 
Once you have made the necessary adjustments to the /etc/fstab file, it is time to inform the 
Linux system about the modifications. 


e This can be accomplished with the following commands: 
[root@deep /]# mount /var/lib -oremount 


Each file system that has been modified must be remounted with the command as shown above. 
Step 3 
After your file system has been remounted, it is important to verify if the modification in the fstab 


file has been correctly applied to the system. 


e You can verify if the modification has been correctly applied with the following command: 
[root@deep /]# cat /proc/mounts 





/dev/root f ext2 rw 0 0 
/proc /proc proc rw 0 0 
/dev/sdal /boot ext2 rw 0 0 
/dev/sdal10 /cache ext2 rw 0 0 
/dev/sda9 /chroot ext2 rw 0 0 
/dev/sda8 /home ext2 rw 0 0 
/dev/sdal3 /tmp ext2 rw 0 0 
/dev/sda7 /usr ext2 rw 0 0 
/dev/sdall1 /var ext2 rw 0 0 


/dev/sda12 /var/1lib ext2 rw,noatime 0 0 
none /dev/pts devpts rw 0 0 


This command will show you all file systems in your Linux server with parameters applied to 
them. If you see something like: 


/dev/sdal2 /var/lib ext2 rw,noatime 0 0 
Congratulations! 
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NOTE: Look under chapter related to Linux Kernel in this book for more information about the 
noatime attribute and other tunable parameters. 





Give MySQL more memory to get better performance 

There are four options and configurable variables related directly to the speed of MySoL database 
that you might tune during server startup. The key_buffer_size parameter is one of the most 
important tunable variables; it represents the size of the buffer used for index blocks by MySQL 
server. The second important variable is table_cache, which represents the number of open 
tables for all threads. By increasing this value, you'll increases the number of file descriptors that 
mysqld requires. The two last variables are sort_buffer, which speedup the ORDER BY or 
GROUP BY operations of the database and record_buffer, which improves speed when you 
do many sequential, scans. 


Step 1 
Depending of the amount of memory, RAM, you have in your system and according to the MySQL 
recommendations: 


If you have a large amount of memory (>=256M), many tables and want maximum performance 
with a moderate number of clients, you should use something like this in your my. cnf file: 


set-variable 
set-variable 
set-variable 
set-variable 


key_buffer=64M 
table_cache=256 
sort_buffer=4M 
record_buffer=1M 


If you have only 128M and only a few tables, but you still do a lot of sorting, you can use 
something like this in your my. cnf file: 


set-variable 
set-variable 


key_buffer=16M 
sort_buffer=1M 


If you have little memory and lots of connections, use something like this in your my . cnf file: 


set-variable 
set-variable 
set-variable 


key_buffer=512k 
sort_buffer=100k 
record_buffer=100k 


or even: 


set-variable 
set-variable 
set-variable 
set-variable 
set-variable 


key_buffer=512k 
sort_buffer=16k 
table_cache=32 
record _buffer=8k 
net_buffer=1K 


These are just some examples, a complete list of tunable parameters depending of your type of 
SQL server exist under the /usr/share/mysq]1 directory and are available for your to learn. In 
total there are four example files with lot of tunable parameters for huge, large, medium, and 
small systems and there are called respectively: my-huge.cnf, my-large.cnf, my- 
medium.cnf, my-small.cnf. Please, check them to better fit your optimization requirements. 
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Once you know the values you need for your MySQL database server, it’s time to set them in your 
/etc/my.cnf file. Recall that this file is read each time your database server start. In our 
example as shows below, we will configure the /etc/my.cnf file for a medium system with little 
memory (82M - 64M) where MySQL plays a important part and systems up to 128M where MySQL 
is used together with other programs (like a web server). The text in bold are the parts of the 
configuration file that must be customized and adjusted to satisfy our needs. 


Step 3 


Step 4 


Edit your my. cnf file (vi /etc/my.cnf) and put the values that you have chosen. 


[mysqld] 


datadir=/var/lib/mysql 
socket=/var/lib/mysql/mysql.sock 


skip-locking 
set-variable 
set-variable 
set-variable 
set-variable 
set-variable 
set-variable 


[mysql.server] 


user=mysql 


= key _buffer=16M 

= max_allowed_packet=1M 

= table_cache=64 

= sort_buffer=512K 

= net_buffer_length=8K 

= myisam_sort_buffer_size=8M 


basedir=/var/lib 


[safe_mysqld] 


err-log=/var/log/mysqld.log 
pid-file=/var/run/mysqld/mysqld.pid 


[isamchk] 

set-variable 
set-variable 
set-variable 
set-variable 


[myisamchk] 

set-variable 
set-variable 
set-variable 
set-variable 


= key _buffer=20M 
sort_buffer=20M 
read_buffer=2M 
= write_buffer=2M 


= key _buffer=20M 
sort_buffer=20M 
read_buffer=2M 
= write_buffer=2M 


Restart the MySQL database server for the changes to take effect: 


[root@deep /] 





Enter password: 
Stopping MySQL: 


Li 





Starting MySQL: 


Li 


/etc/re.d/init.d/mysqld restart 


[OK] 
[OK] 


Now you should verify you new values with the mysqladmin command as show below. One 
function of this command allows you to see what values a running MySQL server is using. 


To verify the new variables entered in your startup file, use the following command: 
[root@deep /]# mysqladmin variables -p 





Enter password: 


$------------------------- 4--------------- === === === === +--+ ------ + 


| Variable_name 


4------------------------- $o----- === 5-5 === 5-5 = 5-5-5 === === --- + 
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ansi_mode 

back_log 

basedir 
binlog_cache_size 
character_set 
character_sets 
concurrent_insert 
connect_timeout 
datadir 
delay_key_write 
delayed_insert_limit 
delayed_insert_timeout 
delayed_queue_size 
flush 

flush_time 

have_bdb 

have_gemini 
have_innobase 
have_isam 

have_raid 

have_ssl 

init_file 
interactive_timeout 
join_buffer_size 
key _buffer_size 
language 
large_files_support 
locked_in_memory 

log 

log_update 

log_bin 
log_slave_updates 
long_query_time 
low_priority_updates 
lower_case_table_names 
max_allowed_packet 
max_binlog_cache_size 
max_binlog_size 
max_connections 
max_connect_errors 
max_delayed_threads 
max_heap_table_size 
max_join_size 
max_sort_length 
max_tmp_tables 
max_write_lock_count 
myisam_recover_options 
myisam_sort_buffer_size 
net_buffer_length 
net_read_timeout 
net_retry_count 
net_write_timeout 
open_files_limit 
pid_file 

port 
protocol_version 
record_buffer 
query_buffer_size 
safe_show_database 
server_id 
skip_locking 
skip_networking 
skip_show_database 
slow_launch_time 
socket 

sort_buffer 
table_cache 
table_type 
thread_cache_size 
thread_stack 
timezone 





OFF 

50 

/usr/ 

32768 

latinl 

latinl dec8 dos germanl hp8 koi8_ru latin2 
ON 

5 
/var/lib/mysql/ 
ON 

100 

300 

1000 

OFF 


28800 
131072 
16773120 
/usr/share/mysql/english/ 
ON 

OFF 

OFF 

OFF 

OFF 

OFF 

10 

OFF 

0 

1047552 
4294967295 
1073741824 
100 

10 

20 
16777216 
4294967295 
1024 

32 
4294967295 
OFF 
8388608 
7168 

30 

10 

60 

0 
/var/run/mysqld/mysqld.pid 
3306 

10 

131072 

0 

OFF 

0 

ON 

OFF 

OFF 

2 
/var/lib/mysql/mysql.sock 
524280 

64 

MYISAM 

0 

65536 

EST 
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| tmp_table_size | 1048576 
| tmpdir | /tmp/ 
| version [i323 333 | 
| wait_timeout | 28800 
-------------------------- $--------------------- += = === === += -------+ 


From the above table, we can see that the values have been changed successfully with the new 
parameters. 








NOTE: It’s important to note that the value key_buffer cannot be more than 50% of your total 
memory. Or your system may start to page and become REALLY slow. So, if you have, for 
example, 256 M of RAM the value can be a maximum of 128 MB and no more. 





MySQL Administrative Tools 


The commands listed below are some that we use often in regular use but many more exist and 
you must check the reference manual for more information. 


There are two statements you may use to create new users into the database, the GRANT and 
INSERT statements. With MySQL you have the possibility to specify, during user creation, what 
privileges you want to assign to your users. Privileges can be used to set which parts of the 
database users are allowed to use, administer, control, etc. 





The GRANT statement 

The first example below is the steps to follow with the GRANT statements command. In this 
example we’ll create two different users one named “sqladmin” with password “mo” and the 
second named “operator” with no password and limited privileges. 


e To define a new user with a password and full privileges in your database with the GRANT 
statements, use the following commands: 

[root@deep /]$ mysql -u root mysql -p 

Enter password: 

Reading table information for completion of table and column names 

You can turn off this feature to get a quicker startup with -A 





Welcome to the MySQL monitor. Commands end with ; or \g. 
Your MySQL connection id is 3 to server version: 3.23.33 


Type 'help;' or '\h' for help. Type '\c' to clear the buffer 
mysql> GRANT ALL PRIVILEGES ON *.* TO sqladmin@localhost 


—> IDENTIFIED BY 'mo' WITH GRANT OPTION; 
Query OK, 0 rows affected (0.00 sec) 


mysql> \q 
Bye 


The user we have created is named “sqladmin” with password set to “mo”. This user has full 
privileges “ALL PRIVILEGES” over the database like the super-user MySQL root. 














e To define a new user with limited privilege and no password set in your database with the 
GRANT statements, use the following commands: 

[root@deep /]$ mysql -u root mysql -p 

Enter password: 

Reading table information for completion of table and column names 
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You can turn off this feature to get a quicker startup with -A 


Welcome to the MySQL monitor. Commands end with ; or \g. 
Your MySQL connection id is 3 to server version: 3.23.33 


Type 'help;' or '\h' for help. Type '\c' to clear the buffer 


mysql> GRANT RELOAD, PROCESS ON *.* TO operator@localhost; 
Query OK, 0 rows affected (0.00 sec) 


mysql> \q 
Bye 


This second user is named “operator” and is granted the reload and process administrative 
privileges only. He doesn’t have a password set and can connect from only the localhost without 
a password. 








NOTE: Using the GRANT statement could penalize the performance of the SOL server; it is better to 
use the INSERT statement, which do the same function. 








The INSERT statement 

The INSERT statements are the second method to create new users for the database. It’s 
interesting to Know this method, since many third party programs use it during user creation. In 
the example below, we use the same users name as above to show you the difference between 
the both methods. 








ea 
w 
HF 


To define a new user with password and full privilege in your database with the INS! 
statements, use the following commands: 

[root@deep /]$ mysql -u root mysql -p 

Enter password: 

Reading table information for completion of table and column names 
You can turn off this feature to get a quicker startup with -A 





Welcome to the MySQL monitor. Commands end with ; or \g. 
Your MySQL connection id is 3 to server version: 3.23.33 


Type 'help;' or '\h' for help. Type '\c' to clear the buffer 

mysql> INSERT INTO user VALUES ('localhost', 'sqladmin',PASSWORD('mo'), 
=> PY NY OYE EYES EYES OYE OYE OYE UNE SS EY NYE PY UY S CUYEE Jie 
Query OK, 1 row affected (0.02 sec) 


mysql> FLUSH PRIVILEGES; 
Query OK, 0 rows affected (0.00 sec) 





mysql> \q 
Bye 


The 14 ‘y’ you see in this command represents the privileges allowed for this user, with MySQL 
version 3.23.33 there are 14 privileges you may associate for the user, since the example user 
“sqladmin” have full control over the database, the 14 privileges are set to YES ‘y’. 


To define a new user with limited privileges and no password set in your database with 
the INSERT statements, use the following commands: 
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[root@deep /]$ mysql -u root mysql -p 

Enter password: 

Reading table information for completion of table and column names 
You can turn off this feature to get a quicker startup with -A 





Welcome to the MySQL monitor. Commands end with ; or \g. 
Your MySQL connection id is 3 to server version: 3.23.33 


Type 'help;' or '\h' for help. Type '\c' to clear the buffer 


mysql> INSERT INTO user SET Host='localhost',User='operator', 
-> Reload_priv='Y', Process_priv='Y'; 
Query OK, 1 row affected (0.00 sec) 


mysql> FLUSH PRIVILEGES; 
Query OK, 0 rows affected (0.00 sec) 


mysql> \q 
Bye 


In this second example we can see that only 2 privileges have been set for the user, the reload 
and process privileges. Also, this user has no password set and can connect from only the 
localhost without the need to specify a password. 


Of course if you want to specify a password for this user (always recommended), then all you 
have to do is to include in the INSERT command the line “Password ('mypasswd"') ,” after the 
“User=' operator’ ,” parameter. 





The UPDATE & DELETE statement 

These two statements can be used to manage users security access to the database. The first 
statement allows us to update an existing user password on the SQL database and the second 
statement lets us remove an existing user from the database. 


e To update and change a user password from your database, use the following command: 
[root@deep /]$ mysql -u root mysql -p 

Enter password: 

Reading table information for completion of table and column names 

You can turn off this feature to get a quicker startup with -A 





Welcome to the MySQL monitor. Commands end with ; or \g. 
Your MySQL connection id is 4 to server version: 3.23.33 


Type 'help;' or '\h' for help. Type '\c' to clear the buffer 
mysql> UPDATE user SET Password=PASSWORD ('mypasswd') WHERE user='root'; 
Query OK, 2 rows affected (0.01 sec) 


Rows matched: 2 Changed: 2 Warnings: 0 


mysql> FLUSH PRIVILEGES; 
Query OK, 0 rows affected (0.00 sec) 


mysql> \q 
Bye 


In this example, we update and change the password for the super-user called “root”. The value 
"‘mypasswd' is where you put the new password you want to update (this is the only value you 
must change in the above command). 
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To remove a user password from your database, use the following command: 
[root@deep /]$ mysql -u root mysql -p 

Enter password: 

Reading table information for completion of table and column names 
You can turn off this feature to get a quicker startup with -A 





Welcome to the MySQL monitor. Commands end with ; or \g. 
Your MySQL connection id is 4 to server version: 3.23.33 


Type 'help;' or '\h' for help. Type '\c' to clear the buffer 


mysql> DELETE FROM user WHERE User = "sqladmin"; 
Query OK, 1 row affected (0.00 sec) 


mysql> \q 
Bye 


In this example, we remove the row in the user table of the database related to the user 
“sqladmin” and all privileges and the password associated to it. 


The basic commands 

Most of you already know how SQL databases and in our case MySQL work, but for some others, 
this is the first time. Below, | show you the basic commands for managing a database for 
beginners. 


To create a new database, run the mysqladmin create dbname utility program: 
[root@deep /]$ mysqladmin create addressbook -p 

Enter password: 

Database "addressbook" created. 





or with the MySQL terminal monitor program (mysql) 


[root@deep /]$ mysql -u root mysql -p 

Enter password: 

Reading table information for completion of table and column names 
You can turn off this feature to get a quicker startup with -A 





Welcome to the MySQL monitor. Commands end with ; or \g. 
Your MySQL connection id is 4 to server version: 3.23.33 


Type 'help;' or '\h' for help. Type '\c' to clear the buffer 


mysql> CREATE DATABASE addressbook; 
Query OK, 1 row affected (0.00 sec) 


mysql> \q 
Bye 
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To delete a database and all its tables, run the mysqladmin drop utility program: 
[root@deep /]$ mysqladmin drop addressbook -p 

Enter password: 

Dropping the database is potentially a very bad thing to do. 

Any data stored in the database will be destroyed. 


Do you really want to drop the 'addressbook' database [y/N] 


y 
Database "addressbook" dropped 





or with the MySQL terminal monitor program (mysql) 


[root@deep /]$ mysql -u root mysql -p 

Enter password: 

Reading table information for completion of table and column names 
You can turn off this feature to get a quicker startup with -A 





Welcome to the MySQL monitor. Commands end with ; or \g. 
Your MySQL connection id is 4 to server version: 3.23.33 


Type 'help;' or '\h' for help. Type '\c' to clear the buffer 


mysql> DROP DATABASE addressbook; 
Query OK, 3 rows affected (0.00 sec) 


mysql> \q 
Bye 


To connect to the new database with the MySQL terminal monitor, use the command: 
mysql> USE addressbook; 

Database changed 

mysql> 


To create a table named contact with the following values, use the command: 
mysql> CREATE TABLE contact (FirstName VARCHAR(20), 

-> SecondName VARCHAR(20), Address VARCHAR (80), 

-> WorkPhone VARCHAR(25), HomePhone VARCHAR (25), 

-> MobilePhone VARCHAR(25), Fax VARCHAR(25), Website VARCHAR(20), 

-> Mail VARCHAR(30), Title VARCHAR(20), Description VARCHAR (100) ); 
Query OK, 0 rows affected (0.01 sec) 


mysql> 
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e To inspect the new table, use the command: 
mysql> DESCRIBE contact; 






































4------------- 4------------- 4+-------- 4+-------- 4---------- 4---------- + 
Field Type Null Key Default Extra 
FirstName varchar (20) YES ULL 
SecondName varchar (20) YES ULL 
Address varchar (80) YES ULL 
WorkPhone varchar (25) YES ULL 
HomePhone varchar (25) YES ULL 
MobilePhone varchar (25) YES ULL 
Fax varchar (25) YES ULL 
Website varchar (20) YES ULL 
Mail varchar (30) YES ULL 
Title varchar (20) YES ULL 
Description varchar (100) | YES ULL 

4—------------ 4------------- 4+-------- 4+-------- 4---------- 4---------- + 


11 rows in set (0.00 sec) 


mysql> \q 
Bye 


The LOAD DATA statement 
Once your table has been created, you need to populate it. There are two statements you may 
use to make the job, the LOAD DATA and INSERT statements. 





The LOAD DATA statement is useful when you have a lot of data to enter in your database. An 
easy way to populate it is to create a text file containing a row for each of your contacts, and then 
load the contents of the file into the table with the LOAD DATA statement. 


You could create a text file “contact .t xt” containing one record per line, with values separated 
by tabs, and given in the order in which the columns were listed in the CREATE TABLE statement. 
For missing values, you can use NULL values. To represent these in your text file, use \N. 

















Suzanne Smith 300, Av Washington (514) 123 4567 (514) 890 1234 \N \N 
www.openna.com Suzanne@openna.com DBAdmin \N 





e To load the text file “contact .txt” into the contact table, use this command: 
mysql> LOAD DATA LOCAL INFILE "contact.txt" INTO TABLE contact; 


The INSERT statement 

The INSERT statement is useful, when you want to add new records one at a time. As for LOAD 
DATA statement, you supply values for each column, in the order in which the columns were listed 
in the CREATE TABLE. 




















e To adda new record using an INSERT statement, use this command: 
mysql> INSERT INTO contact 
-—> VALUES ('Henri', 'Smith','301, Av Washington','(514) 234 8765', 
—> '(514) 456 3290',NULL, NULL, ’www.openna.com’ ,’henri@openna.com’, 
—> 'WebAdmin’ , NULL) ; 
Query OK, 1 row affected (0.00 sec) 





mysql> \q 
Bye 
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e Todump the structure and data from MySQL databases and tables for backup, use the 


following command: 


[root@deep /]# mysqldump mysql > mysqldb.sql -p 





Enter password: 


In this example, we dump the whole database named “mysq1” into a backup file named 
“mysqldb.sql1”, which can be used later to restore the original database. 


e To restore the structure and data from MySQL databases and tables from backup, use the 


following command: 


[root@deep /]# mysql -u root mysql < mysqldb.sql -p 





Enter password: 


In this example, we restore the original database we backed up earlier named “mysql”. 


List of installed MySQL files on your system 


> /etc/rc.d/init.d/mysqld 

> /etc/logrotate.d/mysqld 

> /etc/my.cnf 

> /usr/bin/mysql 

> /usr/bin/mysqladmin 

> /usr/bin/mysqlshow 

> /usr/bin/mysqldump 

> /usr/bin/mysqlimport 

> /usr/bin/mysqltest 

> /usr/bin/replace 

> /usr/bin/comp_err 

> /usr/bin/perror 

> /usr/bin/resolveip 

> /usr/bin/my_print_defaults 

> /usr/bin/resolve_stack_dump 
> /usr/bin/isamchk 

> /usr/bin/isamlog 

> /usr/bin/pack_isam 

> /ust/bin/myisamchk 

> /usr/bin/myisamlog 

> /usr/bin/myisampack 

> /usr/bin/mysqlbinlog 

> /usr/bin/safe_mysqld 

> /usr/bin/mysql_install_db 

> /usr/bin/msql2mysaql 

> /usr/bin/mysql_config 

> /usr/bin/mysql_fix_privilege_tables 
> /usr/bin/mysql_setpermission 
> /usr/bin/mysql_zap 

> /usr/bin/mysqlaccess 

> /usr/bin/mysqloug 

> /usr/bin/mysql_convert_table_format 
> /usr/bin/mysql_find_rows 

> /usr/bin/mysqlhotcopy 

> /usr/bin/mysqldumpslow 

> /usr/bin/mysqld_multi 

> /usr/lib/mysql 

> /usr/lib/mysql|/lipmysalclient.la 
> /usr/lib/mysql/libmysalclient.a 
> /usr/lib/mysql/lipmystrings.a 
> /usr/lib/mysql/libdbug.a 

> /usr/lib/mysql/lipbmysys.a 

> /usr/lib/mysql/lipnisam.a 

> /usr/lib/mysql/libmerge.a 

> /usr/lib/mysql/lipmyisam.a 

> /usr/lib/mysql|/lipmyisammrg.a 


> /usr/share/mysql/japanese 

> /usr/share/mysql/japanese/errmsg.sys 
> /ustr/share/mysql/japanese/errmsg.txt 

> /usr/share/mysql/korean 

> /usr/share/mysql/korean/errmsg.sys 

> /ust/share/mysql/korean/errmsg.txt 

> /usr/share/mysql/norwegian 

> /ustr/share/mysql/norwegian/errmsg.sys 
> /ust/share/mysql/norwegian/errmsg.txt 
> /ust/share/mysql/norwegian-ny 

> /ustr/share/mysql/norwegian-ny/errmsg.sys 
> /ustr/share/mysql/norwegian-ny/errmsg.txt 
> /usr/share/mysql/polish 

> /usr/share/mysql/polish/errmsg.sys 

> /usr/share/mysql/polish/errmsg.txt 

> /usr/share/mysql/portuguese 

> /usr/share/mysql/portuguese/errmsg.sys 
> /usr/share/mysql/portuguese/errmsg.txt 
> /usr/share/mysql/romanian 

> /ust/share/mysql/romanian/errmsg.sys 
> /usr/share/mysql/romanian/errmsg.txt 

> /usr/share/mysql/russian 

> /ust/share/mysql/russian/errmsg.sys 

> /usr/share/mysql/russian/errmsg.txt 

> /usr/share/mysql/slovak 

> /usr/share/mysql/slovak/errmsg.sys 

> /usr/share/mysql/slovak/errmsg.txt 

> /usr/share/mysql/spanish 

> /usr/share/mysql/spanish/errmsg.sys 

> /usr/share/mysql/spanish/errmsg.txt 

> /usr/share/mysql/swedish 

> /ust/share/mysql/swedish/errmsg.sys 

> /usr/share/mysql/swedish/errmsg.txt 

> /usr/share/mysql/charsets 

> /ustr/share/mysql/charsets/README 

> /usr/share/mysql/charsets/Index 

> /ustr/share/mysql/charsets/cp1 251 .conf 
> /ustr/share/mysql/charsets/cp1257.conf 
> /ustr/share/mysql/charsets/croat.conf 

> /ust/share/mysql/charsets/danish.conf 
> /ustr/share/mysql/charsets/dec8.conf 

> /ustr/share/mysql/charsets/dos.conf 

> /ust/share/mysql/charsets/estonia.conf 
> /ustr/share/mysql/charsets/german1 .conf 
> /ustr/share/mysql/charsets/greek.conf 

> /usr/share/mysql/charsets/hebrew.conf 
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> /usr/lib/mysql/libheap.a 

> /usr/sbin/mysqld 

> /usr/share/man/man1/mysal.1 

> /usr/share/man/man1/isamchk.1 

> /usr/share/man/man1/isamlog.1 

> /ustr/share/man/man1/mysql_zap.1 

> /usr/share/man/man1/mysqlaccess.1 
> /ust/share/man/man1/mysqladmin.1 
> /usr/share/man/man1/mysqld.1 

> /ust/share/man/man1/mysqld_multi.1 
> /usr/share/man/man1/mysqidump. 1 
> /usr/share/man/man1/mysqlshow. 1 

> /ust/share/man/man1/perror.1 

> /usr/share/man/man1/replace. 1 

> /usr/share/man/man1/safe_mysqld.1 
> /usr/share/mysql 

> /usr/share/mysql/mi_test_all 

> /usr/share/mysql/mi_test_all.res 

> /usr/share/mysql/czech 

> /ustr/share/mysql/czech/errmsg.sys 
> /usr/share/mysql/czech/errmsg.txt 

> /ustr/share/mysql/danish 

> /usr/share/mysql/danish/errmsg.sys 
> /usr/share/mysql/danish/errmsg.txt 

> /usr/share/mysql/dutch 

> /usr/share/mysql/dutch/errmsg.sys 

> /usr/share/mysql/dutch/errmsg.txt 

> /ustr/share/mysql/english 

> /ust/share/mysql/english/errmsg.sys 
> /usr/share/mysql/english/errmsg.txt 
> /usr/share/mysql/estonian 

> /usr/share/mysql/estonian/errmsg.sys 
> /usr/share/mysql/estonian/errmsg.txt 
> /ustr/share/mysql/french 

> /usr/share/mysq|l/french/errmsg.sys 
> /ust/share/mysql/french/errmsg.txt 

> /usr/share/mysql/german 

> /usr/share/mysql/german/errmsg.sys 
> /usr/share/mysql/german/errmsg.txt 
> /usr/share/mysql/greek 

> /usr/share/mysql/greek/errmsg.sys 

> /usr/share/mysql/greek/errmsg.txt 

> /usr/share/mysql/hungarian 

> /usr/share/mysql/hungarian/errmsg.sys 
> /usr/share/mysql/hungarian/errmsg.txt 
> /ust/share/mysq//italian 

> /ustr/share/mysqj/italian/errmsg.sys 
> /usr/share/mysql/italian/errmsg.txt 
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> /ust/share/mysql/charsets/hp8.conf 

> /ust/share/mysql/charsets/hungarian.conf 
> /ustr/share/mysql/charsets/koi8_ru.conf 
> /ustr/share/mysql/charsets/koi8_ukr.conf 
> /ustr/share/mysql/charsets/latin1 .conf 

> /ustr/share/mysql/charsets/latin2.conf 

> /ustr/share/mysql/charsets/latin5.conf 

> /ustr/share/mysql/charsets/swe7.conf 

> /ustr/share/mysql/charsets/usa7.conf 

> /ustr/share/mysql/charsets/win1 250.conf 
> /ustr/share/mysql/charsets/win1 251 .conf 
> /ustr/share/mysql/charsets/win1 251 ukr.conf 
> /usr/share/mysql/make_binary_distribution 
> /ust/share/mysql/mysql.server 

> /usr/share/mysql/my-small.cnf 

> /ustr/share/mysql/my-medium.cnf 

> /usr/share/mysql/my-large.cnf 

> /usr/share/mysql|/my-huge.cnf 

> /usr/share/mysq|/binary-configure 

> /usr/mysql-test 

> /usr/include/mysql 

> /usr/include/mysql/dbug.h 

> /usr/include/mysql/m_string.h 

> /usr/include/mysql/my_sys.h 

> /usr/include/mysql/mysql.h 

> /usr/include/mysql/mysql_com.h 

> /usr/include/mysql/mysqld_error.h 

> /usr/include/mysql/my_list.h 

> /usr/include/mysql/my_pthread.h 

> /usr/include/mysql/my_no_pthread.h 

> /usr/include/mysql/raid.h 

> /ust/include/mysql/errmsg.h 

> /usr/include/mysql/my_global.h 

> /usr/include/mysql/my_net.h 

> /usr/include/mysql/sslopt-case.h 

> /usr/include/mysql/sslopt-longopts.h 

> /usr/include/mysql/sslopt-usage.h 

> /usr/include/mysq|/sslopt-vars.h 

> /usr/include/mysql/mysql_version.h 

> /usr/include/mysql/m_ctype.h 

> /usr/include/mysql/my_config.h 

> /usr/include/mysql/readline.h 

> /usr/include/mysql/chardefs.h 

> /usr/include/mysql/keymaps.h 

> /usr/include/mysql/history.h 

> /usr/include/mysql/tilde.h 

> /var/run/mysqld 
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Linux PostgreSQL Database Server 


PostgreSQL, developed originally in the UC Berkeley Computer Science Department, pioneered 
many of the object-relational concepts now becoming available in commercial databases. It 
provides SQL92/SQL3 language support, transaction integrity, and type extensibility. 


As explained on the PostgreSQL web site: 

PostgreSQL is an object-relational database management system (ORDBMS) based on 
POSTGRES, Version 4.2, developed at the University of California at Berkeley Computer Science 
Department. The POSTGRES project, led by Professor Michael Stonebraker, was sponsored by 
the Defense Advanced Research Projects Agency (DARPA), the Army Research Office (ARO), the 
National Science Foundation (NSF), and ESL, Inc. It is the most advanced open-source database 





available anywhere. 














Recommended RPM packages to be installed for a SQL Server 

A minimal configuration provides the basic set of packages required by the Linux operating 
system. A minimal configuration is a perfect starting point for building a secure operating system. 
Below is the list of all recommended RPM packages required to run your Linux server as a 
database Server (SQL) running PostgreSQL software. 


This configuration assumes that your kernel is a monolithic kernel. Also | suppose that you will 
install PostgreSQL by RPM package. Therefore, postgresql and postgresql-server RPM 
packages are already included in the list below as you can see. All security tools are not installed, 
it is yours to install them as your need by RPM packages since compilers packages are not 
installed and included in the list. 


basesystem 
ed 

less 
passwd 
sysklogd 


bash 

file 
libstdc++ 
perl 
syslinux 


bdflush 
filesystem 
libtermcap 
popt 
SysVinit 


bind 
fileutils 
lilo 
postgresql 
tar 


bzip2 

findutils 
logrotate 
postgresql-server 
termcap 
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chkconfig 
gawk 
losetup 
procps 
textutils 


console-tools 
gdbm 

MAKEDEV 
psmisc 
tmpwatch 


cpio 
gettext 
man 

pwdb 
utempter 


cracklib 
glib 
mingetty 
qmail 
util-linux 


cracklib-dicts 
glibc 

mktemp 
readline 
vim-common 


crontabs 
glibc-common 
mount 
rootfiles 
vim-minimal 


db1 

grep 
ncurses 
rpm 
vixie-cron 


db2 

grofft 
net-tools 
sed 

words 


db3 
gzip 
newt 
setup 
which 


dev 

info 
openssh 
sh-utils 
zlib 


devfsd 
initscripts 
openssh-server 
shadow-utils 


diffutils 
iptables 
openssl 
slang 





552 





PostgreSQL |2 
CHAPTER |4 








e2fsprogs 
kernel 
pam 
slocate 


Tested and fully functional on OpenNA.com. 
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These installation instructions assume 

Commands are Unix-compatible. 

The source path is /var/tmp (note that other paths are possible, as personal discretion). 
Installations were tested on Red Hat 7.1. 

All steps in the installation will happen using the super-user account “root”. 

Whether kernel recompilation may be required: No 

Latest PostgreSQL version number is 7.1.2 


Packages 
The following is based on information as listed by PostgreSQL as of 2001/05/18. Please 
regularly check at www.postgresql.org for the latest status. 


Source code is available from: 


PostgreSQL Homepage: http://www.postqresql.org/ 
PostgreSQL FTP Site: 216.126.84.28 


You must be sure to download: postgresql-7.1.2.tar.gz 





Prerequisites 

PostgreSQL requires that the listed software below be already installed on your system to be 
able to compile successfully. If this is not the case, you must install it from your Linux CD-ROM or 
source archive file. Please make sure you have this program installed on your machine before 
you proceed with this chapter. 


¥ To enable and use SSL encryption support into the software, OpenSSL library should be 
already installed on your system. 








NOTE: For more information on OpenSSL software, please see earlier chapters in this book its 
related chapter. 





Pristine source 

If you don’t use the RPM package to install this program, it will be difficult for you to locate all 
installed files into the system in the eventuality of an updated in the future. To solve the problem, 
it is a good idea to make a list of files on the system before you install PostgreSQL, and one 
afterwards, and then compare them using the diff utility of Linux to find out what files are 
placed where. 


e Simply run the following command before installing the software: 
root@deep /root find /* > PostgreSQL1 


e And the following one after you install the software: 
root@deep /root find /* > PostgreSQL2 


e Then use the following command to get a list of what changed: 
root@deep /root diff PostgreSQL1 PostgreSQL2 > PostgreSQL-Installed 

















With this procedure, if any upgrade appears, all you have to do is to read the generated list of 
what files were added or changed by the program and remove them manually from your system 
before installing the new software. Related to our example above, we use the /root directory of 
the system to stock all generated list files. 


554 





PostgreSQL | 2 
CHAPTER |4 


Compiling - Optimizing & Installing PostgreSQL 

Below are the required steps that you must make to compile and optimize the PostgreSQL 
database software before installing it into your Linux system. First off, we install the program as 
user 'root' so as to avoid authorization problems. 


Step 1 
Once you get the program from the main software site you must copy it to the /var/tmp 
directory and change to this location before expanding the archive. 


e These procedures can be accomplished with the following commands: 
[root@deep /]# cp postgresql-version.tar.gz /var/tmp/ 
[root@deep /]# cd /var/tmp/ 

[root@deep tmp]# tar xzpf postgresql-version.tar.gz 


Step 2 
In order to check that the version of PostgreSQL, which you are going to install, is an original 
and unmodified one, use the command described below and check the supplied signature. 


e To verify the MD5 checksum of PostgreSQL, use the following command: 
[root@deep tmp]# md5sum postgresql-version.tar.gz 


This should yield an output similar to this: 
8e2e4319828a8a38492c3ce06726237c postgresql-7.1.2.tar.gz 


Now check that this checksum is exactly the same as the one available into a file called 
“oostgresql-7.1.2.tar.gz.md5” on the PostgreSQL FTP Site: 216.126.84.28 


Step 3 
To avoid security risks, we must create a new user and group account called “postgres” to be 
the owner of the PostgreSQL database files and daemon. 


e Tocreate this special PostgreSQL user/group account, use the following commands: 
[root@deep tmp]# groupadd -g 26 postgres >/dev/null 2>&1 || 
[root@deep tmp]# useradd -M -n -g postgres -o -r -d /var/1lib/pgsql -s 
/bin/bash -c "PostgreSQL Server" -u 26 postgres >/dev/null 2>&1 || 


Step 4 
After that, move into the newly created PostgreSQL source directory and perform the following 
steps to configure and optimize PostgreSQL for your system. 


e To move into the newly created PostgreSQL source directory use the command: 
[root@deep tmp]# cd postgresql-7.1.2/ 
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e Toconfigure and optimize PostgreSQL use the following compilation lines: 
CFLAGS="-03 -static -march=i686 -mcpu=i686 -funroll-loops —-fomit-—frame-pointer" \ 
CXXFLAGS="-03 -static -march=i686 -mcpu=i686 -funroll-loops -fomit-—frame-pointer —- 
felide-constructors -fno-exceptions -fno-rtti" \ 

./configure \ 

--prefix=/usr \ 
--sysconfdir=/etc \ 
--localstatedir=/var/lib/pgsql \ 
--mandir=/usr/share/man \ 
--disable-shared \ 
--enable-syslog \ 

--with-openssl 


This tells PostgreSQL to set itself up for this particular configuration setup with: 


- Disable shared libraries to compile statically linked programs. 
- Enables the PostgreSQL server to use the syslog logging facility. 
- Build with OpenSSL for encryption support. 








WARNING: There is a performance penalty associated with the use of locale support (-—-enable- 
locale), but if you are not in an English-speaking environment you will most likely need this 
configuration line. This option is not included in our compilation lines above. 


Make a special attention to the compilation CXXFLAGS and CFLAGS lines in the above step. We 
optimize PostgreSQL for an i686 CPU architecture with the parameter “-march=i686 and - 
mcpu=i686” and compile it statically with the options “-st atic” and “--disable-shared?” for 
optimum performance of the database server. Please don’t forget to adjust this CXxxFLAGS and 
CFLAGS lines to reflect your own system and CPU architecture. 





Step 5 

Now, we must make a list of all existing files on the system before installing the software, and one 
afterwards, then compare them using the dif€ utility tool of Linux to find out what files are placed 
where and finally install PostgreSQL server: 


root@deep postgresql-7.1.2 make all 

root@deep postgresql-7.1.2 cd 

root@deep /root]# find /* PostgreSQL1 

root@deep /root]# ed /var/tmp/postgresql-7.1.2/ 

root@deep postgresql-7.1.2 make install 

root@deep postgresql-7.1. rm -rf /usr/doc/ 

root@deep postgresql-7.1 mkdir -p /var/lib/pgsql 

root@deep postgresql-7.1. chmod 700 /var/1lib/pgsql/ 

root@deep postgresql-7.1. chown -R postgres.postgres /var/1lib/pgsql/ 
root@deep postgresql-7.1. touch /var/log/postgresql 

root@deep postgresql-7.1. chown postgres.postgres /var/log/postgresql 
root@deep postgresql-7.1. chmod 600 /var/log/postgresql 

root@deep postgresql-7.1. strip /usr/bin/postgres 

root@deep postgresql-7.1. strip /usr/bin/ecpg 

root@deep postgresql-7.1. strip /usr/bin/pg_id 

root@deep postgresql-7.1. strip /usr/bin/pgrep 

root@deep postgresql-7.1. strip /usr/bin/pg_dump 

root@deep postgresql-7.1. strip /usr/bin/pg_passwd 

root@deep postgresql-7.1. strip /usr/bin/psql 

root@deep postgresql-7.1. cd 

root@deep /root]# find /* > PostgreSQL2 

root@deep /root]# diff PostgreSQL1 PostgreSQL2 > PostgreSQL-Installed 

















NNNNNNNNNNNNNN ND 








The make command compiles all source files into executable binaries, and the make install 
will installs the binaries and any supporting files into the appropriate locations. We use the 
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command mkdir -p to create the directory database of PostgreSQL called “pgsq1” under 
/var/lib. 


The strip command will discard all symbols from the object files. This means that our binaries 
files will be smaller in size. This will improve the performance hit to the program since there will 
be fewer lines to read by the system when it executes the binary. 


Step 6 
At this stage, all files and binaries related to PostgreSQL server have been installed onto your 
computer. It is time to verify if the postgres daemon is linked statically as we want it to be. 


e §6To verify if the postgres daemon is linked statically, use the following command: 
[root@deep /]# ldd /usr/bin/postgres 
not a dynamic executable 


If the returned result of the command is the same as the one shown above (not a dynamic 
executable), congratulations! Every library required by the daemon to run successfully on your 
server has been included directly into the postgres binaries. 


Step 7 

Once the configuration, optimization, compilation, and installation of the database software have 
been accomplished, we can free up some disk space by deleting the program tar archive and the 
related source directory since they are no longer needed. 


e Todelete PostgreSQL and its related source directory, use the following commands: 
[root@deep /]# cd /var/tmp/ 
[root@deep tmp]# rm -rf postgresql-version/ 
[root@deep tmp]# rm -f postgresql-version.tar.gz 


The rm command as used above will remove all the source files we have used to compile and 
install PostgreSQL. It will also remove the PostgreSQL compressed archive from the 
/var/tmp directory. 


Configuring PostgreSQL 
After PostgreSQL has been built and installed successfully in your system, your next step is to 
configure and customize its different configuration files. Those files are: 


¥ /var/lib/pgsql/data/postgresql.conf (The PostgreSQL Configuration File) 
¥ /etc/logrotate.d/postgres (The PostgreSQL Log rotation File) 
¥ /etc/rce.d/init.d/postgresql (The PostgreSQt Initialization File) 





/var/1ib/pgsql/data/postgresql.conf: The PostgreSQL Config File 
The /var/lib/pgsql/data/postgresql.conf file is used to specify Post greSOL system 
configuration information. This file is checked to get the required information each time the 
database starts its daemon. 


e Edit the postgresql.conf file (vi /var/lib/pgsql/data/postgresql.conf) 
and change the following lines: 


fsync = false 
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max_connections = 128 
shared_buffers = 256 
silent_mode = true 
syslog = 2 
log_connections = true 
log_timestamp = true 
ssl = true 
tcpip_socket = false 


This tells postgresql .conf file to set itself up for this particular configuration with: 


fsynce = false 

This option “fsync’” if set to “false” allows the operating system to do its best in buffering, 
sorting, and delaying writes, which can make for a considerable performances increase. If you 
trust your Linux operating system, your hardware and UPS, you can disable this option safety 
otherwise enable it. This is a performance feature. 


max_connections = 128 

This option “max_connections” determines how many concurrent connections the database 
server will allow. There is also a compiled-in hard upper limit on this value, which is typically 
1024. We increase the default value of “382” to become 128. 


shared_buffers = 256 

This option “shared_buffers” determines the number of shared memory buffers the database 
server will use. Typically, the integer must be two times (2*) the value of “max_connections” 
parameter, which become in our configuration “256” (2*128=256). This is a performance feature. 


silent_mode = true 

This option “si lent_mode’” if set to “t rue” will automatically run postmaster in background 
and any controlling tt ys will be disassociated, thus no messages are written to stdout or 
stderr. Since we use syslog program on our Linux system to report error messages, we can 
safety disable this option. 


syslog = 2 
This option “syslog” if set to “2” will enable the use of syslog for logging and will sends output 
only to syslog on the system. 


log_connections = true 
This option “log_connections” if set to “t rue” will prints a line informing about each 
successful connection to the server log. 


log_timestamp = true 
This option “log_timestamp” if set to “t rue” will prefixes each server log message with a 
timestamp. 


ssl = true 
This option “ss1”, if set to “t rue”, will enable SSL connection for this PostgreSQL server. See 
later for more information about SSL with PostgreSQL and how to use it if you need it. 
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tcpip_socket = false 

This option “t cpip_socket’, if set to “false”, will accept only local Unix domain socket 
connections. If you want to allow external connection to your PostgeSQL server, then you must 
change the default value of “false” to become “t rue” and see later in this chapter what this 
implies and how to secure and control external users connection. 


/etc/logrotate.d/postgres: The PostgreSQL Log rotation File 
The /etc/logrotate.d/postgres file allows the PostgreSQL database server to 
automatically rotate its log files at a specified time. Here we'll configure the 
/etc/logrotate.d/postgres file to rotate automatically each week its log files. 


e Create the postgres file (touch /etc/logrotate.d/postgres) and add the lines: 


/var/log/postgresql { 
notifempty 
missingok 
copytruncate 


/etc/re.d/init.d/postgresql: The PostgreSQL Initialization File 
The /etc/rc.d/init.d/postgresq] script file is responsible to automatically starting and 
stopping the postmaster daemon of PostgreSQL on your server. Loading the daemon, as a 
standalone daemon will eliminate load times and will even reduce swapping since non-library 
code will be shared. 


Step 1 
Create the postgresql script file (touch /etc/rc.d/init.d/postgresql) and add the 
following lines: 


! /bin/bash 

postgresql This is the init script for starting up the PostgreSQL 
server 

chkconfig: - 78 12 


description: Starts and stops the PostgreSQL backend daemon that handles \ 
all database requests. 

processname: postmaster 

pidfile: /var/run/postmaster.pid 


PGVERSION is: 
PGVERSION=7.1.2 














Source function library. 
INITD=/etc/re.d/init.d 
SINITD/functions 


# Get function listing for cross-distribution logic. 
TYPESET= typeset -flgrep "declare" 
POSTGRESQL="postgresql" 























# Get config. 
/etc/sysconfig/network 
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Check that networking is up. 


# Pretty much need it for postmaster. 
[ S${NETWORKING} = "no" ] && exit 0 





[ -f£ /usr/bin/postmaster ] || exit 0 


start (){ 


echo -n S$"Checking postgresql installation: " 


# Check for older PGDATA location. 
if [ -f /var/lib/pgsql/PG_VERSION ] && [ -d 
/var/lib/pgsql/base/templatel ] 


then 


else 


ae 





export PGDATA=/var/lib/pgsql 





export PGDATA=/var/lib/pgsql/data 


# Check for the PGDATA structure 


ate“ 
then 


-f SPGDATA/PG_VERSION ] && [ -d $PGDATA/base/templatel ] 





# Check version of existing PGDATA 


found." 


if [ ‘cat $PGDATA/PG_VERSION* != '7.1.2' ] 
then 
SYSDOCDIR="(Your System's documentation directory)" 
if [ -d /usr/share/doc/postgresql-SPGVERSION ] 
then 








SYSDOCDIR=/usr/share/doc 
fi 
echo 
echo S$"An old version of the database format was 


echo S"You need to upgrade the data format before 


using PostgreSQL." 


>/dev/null 

















exit 1 
else 
if echo "STYPESET"|grep "declar f success ()" 
then 
success "Checking postgresql installation: " 
else 
echo_success 
fi 
echo 
fi 


# No existing PGDATA! Initdb it. 


else 


echo $"no database files found." 
if [ ! -d S$PGDATA ] 
then 
mkdir -p SPGDATA 
chown postgres.postgres S$PGDATA 
fi 
echo -n S$"Initializing database..." 
su -l postgres -c '/usr/bin/initdb -D --pglib=/usr/lib \ 
--pgdata=/var/lib/pgsql/data' < /dev/null > /dev/null 2>& 1 
echo_success 
echo 
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# Check for postmaster already running... 
pid= pidof postmaster’ 
if [ $pid ] 
then 

echo S"Postmaster already running." 
else 





#all systems go remove any stale lock files 
rm -f /tmp/.s.PGSQL.* > /dev/null 
echo -n $"Starting postgresql service: 
su -l postgres -c "/usr/bin/pg_ctl -D SPGDATA -p 
/usr/bin/postmaster start >/dev/null 2>61" < /dev/null 





























sleep 2 
pid= pidof postmaster’ 
if [ Spid ] 
then 
if echo "STYPESET"|grep "declar f success ()" 
>/dev/null 
then 
success "Starting postgresql service: " 
else 
echo_success 
fi 
touch /var/lock/subsys/postgresql 
echo S$pid > /var/run/postmaster.pid 
echo 
else 
if echo "STYPESET"|grep "declare -f failure ()" 
>/dev/null 
then 
failure "Starting postgresql service: " 
else 
echo_failure 
fi 
echo 
£2 
fi 
} 
stop () { 


echo -n S"Stopping postgresql service: " 


killproc postmaster 

sleep 2 

rm -f /var/run/postmaster.pid 

rm -f /var/lock/subsys/postgresql 
echo 


} 


restart (){ 
stop 
start 


} 


condrestart () { 
[ -e /var/lock/subsys/postgresql ] && restart || 
} 


# S how we were called. 
case "S1" in 
start) 
start 





aa 
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stop 
tr 
status) 
status postmaster 
a 
restart) 
resLarct 
a 
condrestart) 
condrestart 
ad 
*) 
echo S$"Usage: $0 {start|stop|status|restart|condrestart}" 
exit 1 
esac 
exit 0 
Step 2 


Once the postgresql script file has been created, it is important to make it executable, change 
its default permissions, create the necessary links and start it. Making this file executable will 
allow the system to run it, changing its default permission is to allow only the root user to change 
this file for security reasons, and creation of the symbolic links will let the process control 
initialization of Linux, which is in charge of starting all the normal and authorized processes that 
need to run at boot time on your system, to start the program automatically for you at each 
reboot. 


e To make this script executable and to change its default permissions, use the commands: 
root@deep / chmod 700 /etc/rce.d/init .d/postgresql 
root@deep / chown 0.0 /etc/rce.d/init .d/postgresql 


e Tocreate the symbolic rc.d links for postgresql, use the following commands: 
root@deep / chkconfig --add postgresql 
root@deep / chkconfig --level 345 postgresql on 


e Tostart PostgreSQL software manually, use the following command: 
root@deep / /etc/rce.d/init.d/postgresql start 

Checking postgresql installation: no database files found. 
Initializing database... [OK] 

Starting postgresql service: [OK] 














Step 3 

Once the SQL server has been started, it’s time to verify that it is working. With the PostgreSQL 
server default installation, the only user capable to connect to the database is the user we have 
created previously to handle the database files and daemons called “postgres”. 


e Toconnect to the PostgreSQL database, perform the following actions: 
[root@deep /]# psql templatel -U postgres 
Welcome to psql, the PostgreSQL interactive terminal. 


Type: \copyright for distribution terms 
\h for help with SQL commands 
\? for help on internal slash commands 
\g or terminate with semicolon to execute query 
\q to quit 
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templatel=# \q 


As you can see in the above example, we connect to the database named “template1” through 
the interactive terminal program “psq1” which allows you to interactively enter, edit, and execute 
SQL commands. 


Step 4 

Finally, if the SOL server is running and working, it’s time to assign a password to the super-user 
of this database. With PostgreSQL server, this super-user is named by default postgres and 
has no password assigned to it, which means that anyone could connect with this name and do 
anything to the database. 


e To specify a password for the PostgreSQL super-user, perform the following actions: 
[root@deep /]# psql templatel -U postgres 
Welcome to psql, the PostgreSQL interactive terminal. 


Type: \copyright for distribution terms 
\h for help with SQL commands 
\? for help on internal slash commands 
\g or terminate with semicolon to execute query 
\q to quit 


templatel=# ALTER USER postgres WITH PASSWORD 'mypasswd'; 
ALTER USER 
templatel=# \q 














The value 'mypasswd' as shown above is where you put the password you want to assign for the 
PostgreSQL super-user (this is the only value you must change in the above commana). 








NOTE: All software we describe in this book has a specific directory and subdirectory in the tar 
compressed archive named floppy-2.0.tgz containing configuration files for the specific 
program. If you get this archive file, you wouldn’t be obliged to reproduce the different 
configuration files manually or cut and paste them to create or change your configuration files. 
Whether you decide to copy manually or get the files made for your convenience from the archive 
compressed files, it will be to your responsibility to modify them to adjust for your needs, and 
place the files related to this software to the appropriate places on your server. The server 
configuration file archive to download is located at the following Internet address: 
ftp://ftp.openna.com/ConfigFiles-v2.0/floppy-2.0.tgz. 





Running PostgreSQL with SSL support 

This section applies only if you want to run PostgreSQL through SSL connection. Below | show 
you how to set up a certificate to use with PostgreSQL. As you can imagine, the principle is the 
same as for creating a certificate for a Web Server (refer to OpenSSL chapter if you have problem 
creating the certificates). 


Step 1 

First you have to know the Fully Qualified Domain Name (FQDN) of the PostgreSQL (SQL) 
Server for which you want to request a certificate. When you want to access your database 
Server through sql .mydomain.com then the FQDN of your SQL Server is sql .mydomain.com. 
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Step 2 

Second, select five large and relatively random files from your hard drive (compressed log files 
are a good start) and put them under your /usr/share/ss1 directory. These will act as your 
random seed enhancers. We refer to them as random1: random2:...: random5 below. 


e To select five random files and put them under /usr/share/ss1, use the commands: 
[root@deep /]# cp /var/log/boot.log /usr/share/ssl/random1 
[root@deep /]# cp /var/log/cron /usr/share/ssl1/random2 

[root @deep 

[ 

[ 


] 
/]# cp /var/log/dmesg /usr/share/ssl/random3 
root@deep /]# cp /var/log/messages /usr/share/ssl/random4 
root@deep /]# cp /var/log/secure /usr/share/ss1/random5 


Step 3 

Third, create the RSA private key not protected with a pass-phrase for the PostgreSQL Server 
(it is important to create a RSA private key without a pass-phrase since the PostgreSQL Server 
cannot ask you during start-up to enter the pass-phrase). The command below will generate 1024 
bit RSA Private Key and stores it in the file server.key. 


e To generate the Key, use the following command: 
[root@deep /]# ed /usr/share/ss1/ 
[root@deep ssl]# openssl genrsa -rand 
random1:random2:random3:random4:random5 -out server.key 1024 
123600 semi-random bytes loaded 
Generating RSA private key, 1024 bit long modulus 


e is 65537 (0x10001) 








WARNING: Please backup your server. key file. A good choice is to backup this information onto 
a diskette or other removable media. 





Step 4 

Finally, generate a Certificate Signing Request (CSR) with the server RSA private key. The 
command below will prompt you for the x. 509 attributes of your certificate. Remember to give a 
name like sql .mydomain.com when prompted for “Common Name’. Do not enter your personal 
name here. We are requesting a certificate for a Database SQL Server, so the Common Name has 
to match the FQDN of your site. 


e Togenerate the CSR, use the following command: 
[root@deep ssl]# openssl req -new -key server.key -out server.csr 
Using configuration from /usr/share/ssl/openssl.cnf 
You are about to be asked to enter information that will be incorporated 
into your certificate request. 
What you are about to enter is what is called a Distinguished Name or a 
DN. 
There are quite a few fields but you can leave some blank 
For some fields there will be a default value, 
If you enter '.', the field will be left blank. 
Country Name (2 letter code) [CA]: 
State or Province Name (full name) [Quebec]: 
Locality Name (eg, city) [Montreal]: 
Organization Name (eg, company) [OpenNA.com]: 
Organizational Unit Name (eg, section) [OpenNA.com SQL Server]: 
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Common Name (eg, YOUR name) [sql.openna.com] : 
Email Address [noc@openna.com] : 





Pleas nter the following 'extra' attributes 
to be sent with your certificate request 

A challenge password []:. 

An optional company name []:. 











WARNING: Make sure you enter the FQDN (Fully Qualified Domain Name) of the server when 
OpenSSL prompts you for the “CommonName’” (i.e. when you generate a CSR for a Database 
Server which will be later accessed via sql .mydomain.com, enter sql .mydomain.com here). 





After generation of your Certificate Signing Request (CSR), you could send this certificate to a 
commercial Certifying Authority (CA) like Thawte or Verisign for signing. You usually have to post 
the CSR into a web form, pay for the signing, await the signed Certificate and store it into an 
server.crt file. The result is then a real Certificate, which can be used for PostgreSQL. 


Step 5 

You are not obligated to send your Certificate Signing Request (CSR) to a commercial Certifying 
Authority (CA) for signing. In some cases, and with PostgreSQL Server, you can become your 
own Certifying Authority (CA) and sign your certificate for yourself. In the step below, | assume 
that your CA keys pair, which are required for signing certificate by yourself already exist on the 
server, if this is not the case, please refer to the chapter related to OpenSSL in this book for more 
information about how to create your CA keys pair and become your own Certifying Authority 
(CA). 


e To sign server cSR's in order to create real SSL Certificates, use the following command: 
[root@deep ssl]# /usr/share/ssl/misc/sign.sh server.csr 
CA signing: ldap.csr -> server.crt: 

Using configuration from ca.config 

Enter PEM pass phrase: 





















































Check that the request matches the signature 

Signature ok 

The Subjects Distinguished Name is as follows 
countryName :PRINTABLE: 'CA' 
stateOrProvinceName : PRINTABLE: 'Quebec' 

localityName :PRINTABLE: 'Montreal' 
organizationName : PRINTABLE: 'OpenNA.com' 
organizationalUnitName:PRINTABLE: 'OpenNA.com SQL Server' 
commonName :PRINTABLE: 'sql.openna.com!' 
emailAddress : IASSTRING: 'noc@openna.com' 








Certificate is to be certified until Mar 15 07:15:45 2002 GMT (365 days) 
Sign the certificate? [y/n]:y 


1 out of 1 certificate requests certified, commit? [y/nly 
Write out database with 1 new entries 

Data Base Updated 

CA verifying: server.crt <-> CA cert 

server.crt: OK 





This signs the CSR and results ina server.crt file. 
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Step 6 

Now, we must place the certificates files (server.key and server.crt) in the data directory of 
PostgreSQL (/var/1lib/pgsql/data) and change their default permission modes to be 
(0400/-r-------- ), owned by the user called ‘postgres’ for PostgreSQL to be able to find 
and use them when it will start its daemon. 


e To place the certificates into the appropriate directory, use the following commands: 
[root@deep ssl]# mv server.key /var/lib/pgsql/data/ 
[root@deep ssl]# mv server.crt /var/lib/pgsql/data/ 
[root@deep ssl chmod 400 /var/1lib/pgsql/data/server.key 
[root@deep ssl chmod 400 /var/1lib/pgsql/data/server.crt 
[root@deep ssl chown postgres.postgres /var/1lib/pgsql/data/server.key 
[root@deep ssl chown postgres.postgres /var/lib/pgsql/data/server.crt 
[root@deep ssl rm -f server.csr 


] 
] 
] 
] 
] 
] 
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First we move server.key and server.crt files to the data directory of PostgreSQL. After 
that we change the permission mode and ownership of both certificates to be only readable and 
owned by the PostgreSQL user called ‘postgres’ for security reason. Finally we remove the 
server.csr file from our system since it is no longer needed. 


Step 7 
To allow SsL-enabled connections with PostgreSQL, we must change/add one parameter into 
the postgresql.conf file. 


e Edit the postgresql.conf file (vi /var/lib/pgsql/postgresql.conf), and 
change the following line: 


#SSl = false 
To read: 


ssl = true 


Step 8 
Finally, we must restart our PostgreSQL server for the changes to take effect. 


e Torestart PostgreSQL use the following command: 
[root@deep /]# /etc/re.d/init.d/postgresql restart 


Stopping postgresql service: [OK] 
Initializing database. .. [OK] 
Starting postgresql service: [OK] 


Securing PostgreSQL 

This section deals with the actions we can make to improve and tighten security with the 
PostgreSQL database. The interesting point here is that we refer to the features available within 
the base installed program and not to any additional software. 


The PostgreSQL Host-Based Access Control File 

PostgreSQL contains a file named pg_hba.conf located under /var/lib/pgsql/data 
directory. The meaning of this file is to control who can connect to each available database on the 
server. Once you look into this file, you'll inevitably remark that connections from clients can be 
made using a so-called Unix domain sockets or Internet domain sockets (i.e. TCP/IP). 
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Unix domain sockets is when a connection to the database appears from the locahost and 
Internet domain sockets, as its name imply, is when a connection to the database comes from the 
external (e.i the Internet) but by default all connections from a client to the database server are 
allowed only via the local Unix socket, not via TCP/IP sockets and the backend must be started 
with the “tcpip_socket” option set to “t rue” in the postgresql.conf file to allow non-local 
clients to connect. 


Below, | show some examples for the configuration of the Host-Based Access Control File of 
PostgreSQL for Unix domain sockets and Internet domain sockets. 


Unix domain sockets 
Connections made using Unix domain sockets are controlled as follows into the pg_hba. conf 
file: 


local DBNAME AUTHTYPE 


Where DBNAME specifies the database that this record applies to. The value "al1" specifies that it 
applies to all databases and the value "sameuser" specifies to restrict a user's access toa 
database with the same user name. 


AUTHTYPE specifies the authentication method a user must use to authenticate them selves 
when connecting to that database. The different important available methods are: 


1) trust which means that a connection is allowed unconditionally. 
2) xeject which means that a connection is rejected unconditionally. 


3) exrypt which means that the client is asked for a password for the user. This is sent 
encrypted and compared against the password held in the pg_shadow system catalog 
table and, if the passwords match, the connection is allowed. 


4) password which means that the client is asked for a password for the user. This is sent 
in clear text and compared against the password held in the pg_shadow system catalog 
table again, if the passwords match, the connection is allowed. 


Step 1 
Now let’s see a working example: 


e Edit the pg_hba.conf file (vi /var/lib/pgsql/data/pg_hba.conf), and change 
the following lines at the end of the file: 


# By default, allow anything over UNIX domain sockets and localhost. 


local all trust 
host all 127-0021 255.255.255.255 trust 
To read: 


# By default, allow anything over UNIX domain sockets and localhost 
# only if the user's password in pg_shadow is supplied. 

local all crypt 
host all 127.0.0.1 255.255.255.255 crypt 


In the above example, we allow all users from UNIX domain sockets and the localhost to connect 
to all databases, if the user's password in the pg_shadow system catalog table is supplied. 
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Recall that user passwords are optionally assigned when a user is created; therefore verify if your 
users are passwords assigned to them before setting this option. 


Step 2 
Once the necessary modifications have been set into the pg_hba. conf file, it is time to verify if 
the access control security has been applied to the database. 


e Connect to the database called templatel, by using the following command: 
[root@deep /]# psql templatel -U postgres 
Password: 
Welcome to psql, the PostgreSQL interactive terminal. 


Type: \copyright for distribution terms 
\h for help with SQL commands 
\? for help on internal slash commands 
\g or terminate with semicolon to execute query 
\q to quit 


templatel=# \q 


If the system asks you to enter a password, congratulations! 


Internet domain sockets 
Connections made using Internet domain sockets are controlled as follows into the 
pg_hba.conf file: 


host DBNAME IP_ADDRESS ADDRESS_MASK AUTHTYPE 


The format is the same as that of the "local" record type except that the IP_ADDRESS and 
ADDRESS_MASK are added. IP_ADDRESS and ADDRESS_MASK are a Standard dotted decimal IP 
address and mask to identify a set of hosts. These hosts are allowed to connect to the database 
DBNAME if the values match. 


Step 1 
Now see, a working example: 


e Edit the pg_hba.conf file(vi /var/lib/pgsql/data/pg_hba.conf), and change 
the following lines at the end of the file: 


# By default, allow anything over UNIX domain sockets and localhost 
# only if the user's password in pg_shadow is supplied. 


local all crypt 
host all 127°.0.031 2:55..255.:255:255 erypt 
To read: 


# By default, allow anything over UNIX domain sockets and localhost 
# only if the user's password in pg_shadow is supplied. 


local all crypt 
host all 127.0.0.1 255.255.255.255 crypt 
host all 0.0.0.0 0.0.0.0 reject 
host all 207.35.78.0 255.255.255.0 crypt 
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In the above example, we kept our previous setting which allow all users from UNIX domain 
sockets and localhost to connect to all databases, if the user's password in the pg_shadow 
system catalog table is supplied. But we have added two new lines, related to the Internet domain 
sockets, that say deny anyone from everywhere, except from any host with IP address 
207.35.78.x to make a connection to all databases, unless the user's password in the 
pg_shadow system catalog table is supplied. Recall that user passwords are optionally assigned 
when a user is created; therefore verify that your users passwords are assigned to them before 
setting this option. 








NOTE: Note that a “host” record will allow regular connections and SSL together. If you want to 
accept only SSL-secured connections from this host or hosts, you must change every “host” 
record to become “hostss1” in your pg_hba.conf file. 





Step 2 

Remember that by default all connections from a client to the database server are only allowed 
via the local Unix socket, therefore it is important to allow traffic through the PostgreSQL port 
5432 into our firewall script file for the database to accept an external connection. 


e Edit the iptables script file (vi /etc/rc.d/init.d/iptables), and add/check the 
following lines to allow PostgreSQL packets to traverse the network: 


# PostgreSQL server (5432) 











iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p tcp \ 
-s $IPADDR --source-port SUNPRIVPORTS \ 
--destination-port 5432 -—j ACCEPT 























iptables -A INPUT -i SEXTERNAL_INTERFACE -p tcp ! --syn \ 
-—-source-port 5432 \ 
-d SIPADDR -—-destination-port SUNPRIVPORTS -—j ACCEPT 






































Where EXTERNAL_INTERFACE="eth0" # Internet connected interface 
Where IPADDR="207.35.78.9" # Your IP address for ethO 
Where UNPRIVPORTS="1024:" # Unprivileged port range 
Step 3 


Another important fact is that the backend must be started with the “t cpip_socket” option set 
to “true” into the postgresql .conf file to allow non-local clients to connect. 


e Edit the postgresql.conf file (vi /var/lib/pgsql/data/postgresql.conf) 
and change the following line: 





fsync = false 
max_connections = 128 
shared_buffers = 256 
silent_mode = tru 
syslog = 2 
log_connections = true 
log_timestamp = true 
ssl = true 


tcpip_socket = false 
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To read: 
fsync = false 
max_connections = 128 
shared_buffers = 256 
silent_mode = tru 
syslog = 2 
log_connections = true 
log_timestamp = true 
ssl = true 


tcpip_socket = true 


Step 4 
Once the required modifications have been made, it is time to verify if the access control security 
is applied to the database from the external connection. 


e Connect to the database called template from external, by using the command: 
[root@ullyse /]# psql -h 207.35.78.9 templatel -U postgres 
Password: 

Welcome to psql, the PostgreSQL interactive terminal. 


Type: \copyright for distribution terms 
\h for help with SQL commands 
\? for help on internal slash commands 
\g or terminate with semicolon to execute query 
\q to quit 


templatel=# \q 


If the system asks you to enter a password, congratulations! 


Optimizing PostgreSQL 
This section deals with actions we can make to improve and tighten performance of PostgreSQL 
database. Take a note that we refer to the features available within the base installed program. 


Get some fast ScsI hard disk 

One of the most important parts of optimizing PostgreSQL server as well as for the majority of 
all SoL databases is the speed of your hard disk, the faster it is, the faster your database will run. 
Consider a SCSI disk with low seek times like 4. 2ms, this can make all the difference, even 
greater performance can be made with RAID technology. 


Skip the updating of the last access time 

As you're supposed to know now, the noatime attribute of Linux eliminates the need by the 
system to make writes to the file system for files. Mounting the file system where your 
PostgreSQL databases live with the noat ime attribute will avoid some disk seeks and will 
improve the performance of you SQL server. 


If you want to mount the file system of the PostgreSQL database with the noat ime attribute, it’s 
important to create and install the PostgreSQL databases in this partition. In our example, we 
have create this partition early in the chapter 2 of this book named “Linux Installation” and this 
partition is located on /var/1lib. 
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Step 1 

To mount the file system of PostgreSQL databases with the noatime option, you must edit the 
fstab file (vi /etc/fstab) and add into the line that refer to /var/1ib file system the 
noatime option after the defaults option as show below: 


e Edit the fstab file (vi /etc/fstab), and change the line: 





LABEL=/var/lib /var/lib ext2 defaults 12 
To read: 
LABEL=/var/1lib /var/1lib ext2 defaults, noatime 12 








NOTE: The line related to /var/1lib into your /etc/fstab file could be different from the one | 
show above, this is just an example. 





Step 2 
Once you have made the necessary adjustments to the /etc/fstab file, it is time to inform the 
Linux system about the modifications. 


e This can be accomplished with the following commands: 
[root@deep /]# mount /var/lib -oremount 


Each file system that has been modified must be remounted with the command as shown above. 
In our example we have modified the /var/1ib file system and it is for this reason that we 
remount this file system with the above command. 


Step 3 
After you file system has been remounted, it is important to verify that the modification of the 
fstab file has been correctly applied. 


e You can verify if the modification has been correctly applied with the following command: 
[root@deep /]# cat /proc/mounts 





/dev/root / ext2 rw 0 0 
/proc /proc proc rw 0 0 
/dev/sdal /boot ext2 rw 0 0 
/dev/sdal10 /cache ext2 rw 0 0 
/dev/sda9 /chroot ext2 rw 0 0 
/dev/sda8 /home ext2 rw 0 0 
/dev/sdal3 /tmp ext2 rw 0 0 
/dev/sda7 /usr ext2 rw 0 0 
/dev/sdall1 /var ext2 rw 0 0 


/dev/sda12 /var/1lib ext2 rw,noatime 0 0 
none /dev/pts devpts rw 0 0 


This command will show you all the file systems on your Linux server and the parameters applied 
to them. If you see something like: 


/dev/sdal2 /var/lib ext2 rw,noatime 0 0 
Congratulations! 
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NOTE: Look under chapter related to Linux Kernel in this book for more information about the 
noatime attribute and other tunable parameters. 





PostgreSQL Administrative Tools 
The commands listed below are some that we use often but many more exist and you must check 
the reference manual for more information. 


With PostgreSQL Server, passwords can be managed with the query language commands 
CREATE USER and ALTER USER, it can also be managed with shell script wrappers around the 
SQL command called creatuser and dropuser. By default, if no password has been set up, 
the stored password is NULL and password authentication will always fail for that user. 





























The CREATE USER query language command 
The first example below is the step to follow with the CREATE USER query language command. In 
this example we'll create one user named “sqladmin’” with no password and limited privileges. 

















e To create a new user in your PostgreSQL server with no password and limited 
privileges, use the following commands: 
[root@deep /]# psql templatel -U postgres 
Welcome to psql, the PostgreSQL interactive terminal. 


Type: \copyright for distribution terms 
\h for help with SQL commands 
\? for help on internal slash commands 
\g or terminate with semicolon to execute query 
\q to quit 


templatel=# CREATE USER sqladmin; 
CREATE USER 
templatel=# \q 

















Since we have not specified any additional clauses to the above query language command, the 
default clauses will be to deny the new added user the ability to create both databases and new 
users himself. 


e To create a new user in your PostgreSQL server with password “mo” and privileges to 
create databases and new users himself, use the following commands: 
[root@deep /]# psql templatel -U postgres 
Welcome to psql, the PostgreSQL interactive terminal. 


Type: \copyright for distribution terms 
\h for help with SQL commands 
\? for help on internal slash commands 
\g or terminate with semicolon to execute query 
\q to quit 


templatel=# CREATE USER sqladmin WITH PASSWORD 'mo' CREATEDB CREATEUSER; 
CREATE USER 
templatel=# \q 
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The ALTER USER query language command 





The ALTER US 








ER query language command can be used to modify user account information on 





the database. It is important to note that only a database super-user can change privileges and 
password expiration with this command. Ordinary users can only change their own password. 


e To modifies a user account in your PostgreSQL server, use the following commands: 
[root@deep /]# psql templatel -U postgres 
Welcome to psql, the PostgreSQL interactive terminal. 


Type: 


\copyright for distribution terms 

\h for help with SQL commands 

\? for help on internal slash commands 

\g or terminate with semicolon to execute query 
\q to quit 


templatel=# ALTER USER sqladmin WITH PASSWORD 'mi' NOCREATEUSER; 





CREATE 








USER 








templatel=# \q 


In the above example, we modify password for the user sqladmin to become “mi” instead of 
“mo” and deny him the possibility to created new users by himself. 


The shell scripts wrapper createuser and dropuser 

The shell script wrapper creteuser command is the second method to create new users for the 
database. It’s interesting to know this method too since many third party programs use it during 
user creation. In the example below, we use the same users name as above to show you the 
difference between the both methods. 


e Tocreate a new user named sqladmin in your PostgreSQL database with no 
password and privileges to create databases and new users himself, use the commands: 
[root@deep /]# su postgres 
bash-2.04S createuser 

















Enter name of user to add: sqladmin 

Shall the new user be allowed to create databases? (y/n) y 
Shall the new user be allowed to create more new users? (y/n) y 
Password: 





CREATE 








USER 








bash-2.04S exit 


exit 


Here we create a new user with no password set named sqladmin with privileges to create 
databases and new users himself. 


e To create anew user named sqladmin in your PostgreSQL database with password 


“mo” and privileges to create databases but not new users himself, use the commands: 
[root@deep /]# su postgres 
bash-2.04$ createuser -P 


Enter 





Enter 
Enter 
Shall 
Shall 





name of user to add: sqladmin 

password for user "sgqladmin": 

it again: 

the new user be allowed to create databases? (y/n) y 

the new user be allowed to create more new users? (y/n) n 











Password: 





CREATE 








USER 








bash-2.04S exit 


exit 
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e Toremove auser named sqladmin in your PostgreSQL database, use the commands: 
[root@deep /]# su postgres 
bash-2.04$ dropuser 











Enter name of user to delete: sqladmin 
Password: 

DROP USER 

bash-2.04S exit 

exit 








NOTE: By default, users do not have write access to databases they did not create. All files stored 
within the database are protected from being read by any account other than the postgres 
super-user account. 





The basic commands 
Most of you already know how SQL database and in our case PostgreSQL work, but for others, 
this is the first time. Below, | show you the basic commands for managing a database. 


e Tocreate a new database called “StoreOpenNA’ with PostgreSQL, use the commands: 
[root@deep /]# su postgres 
bash-2.04$ createdb StoreOpenNA 
Password: 
CREATE DATABASE 
bash-2.04S exit 
exit 

















e Toremove a database called “StoreOpenNA’ with PostgreSQL, use the commands: 
[root@deep /]# su postgres 
bash-2.04$ dropdb StoreOpenNA 
Password: 
DROP DATABASE 
bash-2.04S exit 
exit 





e Tocreate a new database called “StoreOpenNA’ with the PostgreSQL terminal monitor 
program (psq1), use the following commands: 
[root@deep /]# psql templatel -U postgres 
Password: 
Welcome to psql, the PostgreSQL interactive terminal. 


Type: \copyright for distribution terms 
\h for help with SQL commands 
\? for help on internal slash commands 
\g or terminate with semicolon to execute query 
\q to quit 


templatel=# CREATE DATABASE StoreOpenNA,; 
CREATE DATABASE 
templatel=# \q 
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NOTE: Client connections can be restricted by IP address and/or user name via the 
“pg_hba.conf£” file under /var/lib/pgsql/data directory. 





Other useful Post greSQL terminal monitor program (psq1) which allows you to interactively 





enter, edit, and execute SOL commands are: 


To connect to the new database “StoreOpenNA’”, use the following command: 
[root@deep /]# psql templatel -U postgres 

Password: 

Welcome to psql, the PostgreSQL interactive terminal. 


Type: \copyright for distribution terms 
\h for help with SQL commands 
\? for help on internal slash commands 
\g or terminate with semicolon to execute query 
\q to quit 


templatel=# \c storeopenna 
You are now connected to database storeopenna. 
storeopenna=# \q 


To create a table called “bar” under the database storeopenna, use the command: 
storeopenna=# CREATE TABLE bar (i int4, c char(16)); 

CREATE 
storeopenna=# 














To inspect the new table called “bar”, use the following command: 
storeopenna=# \d bar 





Table "bar" 
Attribute Type | Modifier 
+ + 
1 integer | 
char(16) | 





storeopenna=# \q 


List of installed PostgreSQL files on your system 


> /etc/rc.d/init.d/postgresaql 
> /etc/logrotate.d/postgres 


> /var/log/postgresal 
> /usr/bin/postmaster 
> /usr/bin/postgres 

> /usr/bin/ecpg 

> /usr/bin/initdb 

> /usr/bin/initlocation 
> /usr/bin/ipcclean 

> /usr/bin/pg_ctl 

> /usr/bin/pg_dump 
> /usr/bin/pg_restore 
> /usr/bin/pg_dumpall 
> /usr/bin/pg_id 

> /usr/bin/pg_passwd 
> /usr/bin/psql 


> /ust/share/man/manl/create_trigger.| 
> /ust/share/man/manl/create_type.| 

> /usr/share/man/manl\/create_user.| 

> /ustr/share/man/manl/create_view.| 

> /ustr/share/man/manl/declare.| 

> /ust/share/man/manl/delete.| 

> /usr/share/man/manl/drop_aggregate.| 
> /usr/share/man/manl/drop_database.| 
> /usr/share/man/manl/drop_function.| 
> /usr/share/man/manl/drop_group.| 

> /usr/share/man/manl/drop_index.| 

> /usr/share/man/manl/drop_language.| 
> /ust/share/man/manl/drop_operator.| 
> /ust/share/man/manl/drop_rule.| 

> /ust/share/man/manl/drop_sequence.| 
> /usr/share/man/manl/drop_table.| 
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> /usr/bin/createdb 

> /usr/bin/dropdb 

> /usr/bin/createuser 

> /usr/bin/dropuser 

> /usr/bin/droplang 

> /ust/bin/vacuumdb 

> /usr/bin/createlang 

> /usr/bin/pg_config 

> /usr/lib/lippq.a 

> /usr/lib/libecpg.a 

> /usr/lib/lippgeasy.a 

> /ust/share/man/man1/createdb. 1 

> /ust/share/man/man1/createlang. 1 

> /ust/share/man/man1/createuser.1 

> /ust/share/man/man1/dropdb. 1 

> /ust/share/man/man1/droplang. 1 

> /ust/share/man/man1/dropuser. 1 

> /ust/share/man/man1/ecpg. 1 

> /ust/share/man/man1/initdb. 1 

> /ust/share/man/man1/initlocation.1 

> /ust/share/man/man1/ipcclean. 1 

> /usr/share/man/man1/pgaccess. 1 

> /usr/share/man/man1/pg_config.1 

> /ust/share/man/man1/pg_ctl.1 

> /ust/share/man/man1/pg_dump.1 

> /usr/share/man/man1/pg_dumpall.1 

> /ust/share/man/man1/pg_passwd. 1 

> /usr/share/man/man1/pg_restore. 1 

> /ust/share/man/man1/pgtclsh. 1 

> /ust/share/man/man1/pgtksh. 1 

> /ust/share/man/man1/postgres.1 

> /ust/share/man/man1/postmaster.1 

> /ust/share/man/man1/psql.1 

> /ust/share/man/man1/vacuumdb. 1 

> /usr/share/man/manl 

> /usr/share/man/manl/abort.| 

> /usr/share/man/manl/alter_group.| 

> /usr/share/man/manl/alter_table.| 

> /usr/share/man/manl/alter_user.| 

> /usr/share/man/manl/begin.| 

> /usr/share/man/manl/checkpoint.| 

> /usr/share/man/manl\/close.| 

> /ust/share/man/manl/cluster.| 

> /ust/share/man/manl/comment.| 

> /usr/share/man/manl/commit.| 

> /ust/share/man/manl/copy.| 

> /ust/share/man/manl/create_aggregate.| 
> /ust/share/man/manl/create_constraint_trigger.| 
> /usr/share/man/manl/create_database.| 
> /ustr/share/man/manl/create_function.| 
> /ust/share/man/manl/create_group.| 

> /usr/share/man/manl/create_index.| 

> /ust/share/man/manl/create_language.| 
> /usr/share/man/manl/create_operator.| 
> /ustr/share/man/manl/create_rule.| 

> /usr/share/man/manl/create_sequence.| 
> /usr/share/man/manl/create_table_as.| 
> /usr/share/man/manl/create_table.| 
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> /usr/share/man/manl/drop_trigger.| 

> /usr/share/man/manl/drop_type.| 

> /ust/share/man/manl/drop_user.| 

> /ust/share/man/manl/drop_view.| 

> /ust/share/man/manl/end.| 

> /usr/share/man/manl/explain.| 

> /ustr/share/man/manl/fetch.| 

> /ust/share/man/manl/grant.| 

> /usr/share/man/manl/insert.| 

> /usr/share/man/manl/listen.| 

> /usr/share/man/manl/load.| 

> /ust/share/man/manl/lock.| 

> /usr/share/man/manl/move.| 

> /usr/share/man/man\/notify.| 

> /usr/share/man/manl/reindex.| 

> /usr/share/man/manl/reset.| 

> /ust/share/man/manl/revoke.| 

> /ustr/share/man/manl/rollback.| 

> /ustr/share/man/manl/select_into.| 

> /usr/share/man/manl\/select.| 

> /usr/share/man/manl/set_constraints.| 
> /ust/share/man/manl/set.| 

> /usr/share/man/manl/set_transaction.| 
> /ust/share/man/manl/show.| 

> /usr/share/man/manl\/truncate.| 

> /ustr/share/man/manl/unlisten.| 

> /ust/share/man/manl/update.| 

> /usr/share/man/manl/vacuum.| 

> /usr/share/postgresq| 

> /usr/share/postgresql/global.bki 

> /usr/share/postgresq|l/global.description 
> /usr/share/postgresql/template .bki 

> /usr/share/postgresql/template1 .description 
> /usr/share/postgresql/pg_hba.conf.sample 
> /usr/share/postgresql/pg_ident.conf.sample 
> /usr/share/postgresql/postgresql.conf.sample 
> /usr/include/postgresql 

> /usr/include/postgresq|/lib 

> /usr/include/postgresq|/lib/dllist.h 

> /usr/include/postgresql/libpq 

> /ust/include/postgresql/libpq/pqcomm.h 
> /usr/include/postgresq|/libpa/libpaq-fs.h 
> /usr/include/postgresql/c.h 

> /usr/include/postgresql/postgres_ext.h 
> /usr/include/postgresql/postgres_fe.h 

> /usr/include/postgresql/os.h 

> /usr/include/postgresql/config.h 

> /usr/include/postgresq|/libpg-fe.h 

> /usr/include/postgresql/libpq-int.h 

> /usr/include/postgresql/pqexpbuffer.h 

> /usr/include/postgresql/ecpgerrno.h 

> /usr/include/postgresql/ecpglib.h 

> /usr/include/postgresql/ecpgtype.h 

> /usr/include/postgresql/sqica.h 

> /usr/include/postgresql/sql3types.h 

> /usr/include/postgresql/libpgeasy.h 

> /var/lib/pgsql 

> /var/log/postgresq| 
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In this Chapter 
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Configuring OpenLDAP 
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Securing OpenLDAP 

Optimizing OpenLDAP 

OpenLDAP Administrative Tools 

OpenLDAP Users Tools 
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Linux OpenLDAP Server 


Abstract 

Until now, we have been talking about security and optimization in this book, so why would we 
talk about OpenLDAP? Well, the OpenLDAP directory server will expand our horizons through its 
many possibilities. We can use its replication capability to centralize and consolidate different 
information on one server for all the others in our network. 


Imagine having the possibility of adding or disabling a Unix or NT account, setting access to a 
restricted Web server, and adding a mail address or alias, all with a single operation available as 
an NIS service, with the added security of SSL encryption, and the speed of object-oriented 
hierarchies. Another interesting use is to create an authoritative list of employees on one or more 
LDAP servers that can be accessible from your private network, or over the Internet. 


At present OpenLDAP on Linux is typically used to associate names with phone numbers and e- 
mail addresses, but in the future this will almost certainly change. Directories are designed to 
support a high volume of queries since the data in the directory doesn't change all that often, 
therefore we can imagine an interesting use of OpenLDAP for possible Domain Name System 
alternative. 


As explained in the OpenLDAP web site: 

LDAP (Lightweight Directory Access Protocol) is an open-standard protocol for accessing 
information services. The protocol runs over Internet transport protocols, such as TCP, and can 
be used to access stand-alone directory servers or X.500 directories. X.500 is an international 
standard for directories full-featured, which is complex and requires lots of computing resources 
and the full OSI stack. LDAP, in contrast, can run easily on a PC and over TCP/TIP protocol. 


In our configuration and installation we'll run OpenLDAP as non root-user and in a chrooted 
environment with TSL/SSL support. You can configure different kinds of backend databases with 
OpenLDAP. A high-performance, disk-based database named “LDBM”; a database interface to 
arbitrary UNIX commands or shell scripts named “SHELL”; a simple password file database 
named “PASSWD”, and other like SOL. 











The default installation of OpenLDAP assumes an LDBM backend database and this is the one 
that we’ll show you in this chapter. For the other type of backend database, you must add in your 
configuration lines the required options. 
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Recommended RPM packages to be installed for a LDAP Server 


A minimal configuration provides the basic set of packages required by the Linux operating 
system. A minimal configuration is a perfect starting point for building s secure operating system. 
Below is the list of all recommended RPM packages required to run properly your Linux server as 
a Lightweight Directory Access Protocol (LDAP) server running on OpenLDAP software. 


This configuration assumes that your kernel is a monolithic kernel. Also | suppose that you will 
install OpenLDAP by RPM package. Therefore, openidap, openldap-servers, and 
openldap-clients RPM packages are already included in the list below as you can see. All 
security tools are not installed, it is yours to install them as your need by RPM packages too since 


compilers packages are not installed and included in the list. 


basesystem 

ed 

less 
openssh-server 
slocate 


bash 
file 
libstdc++ 
openssl 
sysklogd 


bdflush 
filesystem 
libtermcap 
pam 
syslinux 





bind 
fileutils 
lilo 
passwd 
SysVinit 


bzip2 
findutils 
logrotate 
perl 

tar 


chkconfig 
gawk 
losetup 
popt 
termcap 


console-tools 
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gdbm 
MAKEDEV 
procps 
textutils 


cpio 
gettext 
man 
psmisc 
tmpwatch 


cracklib 
glib 
mingetty 
pwdb 
utempter 


cracklib-dicts 
glibc 

mktemp 

qmail 
util-linux 


crontabs 
glibc-common 
mount 
readline 
vim-common 


db1 

grep 
ncurses 
rootfiles 
vim-minimal 


db2 

grofft 
net-tools 
rpm 
vixie-cron 


db3 
gzip 
newt 
sed 
words 


dev 

info 
openldap 
setup 
which 


devfsd 
initscripts 
openldap-servers 
sh-utils 

zlib 


diffutils 
iptables 
openldap-clients 
shadow-utils 


e2fsprogs 
kernel 
openssh 
slang 
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Tested and fully functional on OpenNA.com. 
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These installation instructions assume 

Commands are Unix-compatible. 

The source path is /var/tmp (note that other paths are possible, as personal discretion). 
Installations were tested on Red Hat 7.1. 

All steps in the installation will happen using the super-user account “root”. 

Whether kernel recompilation may be required: No 

Latest OpenLDAP version number is 2.0.11 


Packages 
The following are based on information as listed by OpenLDAP as of 2001/05/29. Please regularly 
check at www.openidap.org for the latest status. 


Source code is available from: 


OpenLDAP Homepage: http://www.openldap.org/ 
OpenLDAP FTP Site: 204.152.186.57 


You must be sure to download: openldap-2.0.11.tgz 





Prerequisites 

OpenLDAP requires that the listed software below be already installed on your system to be able 
to compile successfully. If this is not the case, you must install it from your Linux CD-ROM or 
source archive file. Please make sure you have this program installed on your machine before 
you proceed with this chapter. 


¥ To enable and use TLS/SSL encryption support into the software, OpenSSL library 
should be already installed on your system. 








NOTE: For more information on OpenSSL software, please see earlier chapters in this book its 
related chapter. 





Pristine source 

If you don’t use the RPM package to install this program, it will be difficult for you to locate all 
installed files into the system in the eventuality of an updated in the future. To solve the problem, 
it is a good idea to make a list of files on the system before you install OpenLDAP, and one 
afterwards, and then compare them using the diff utility of Linux to find out what files are 
placed where. 


e Simply run the following command before installing the software: 
root@deep /root find /* > OpenLDAP1 


e And the following one after you install the software: 
root@deep /root find /* > OpenLDAP2 


e Then use the following command to get a list of what changed: 
root@deep /root diff OpenLDAP1 OpenLDAP2 > OpenLDAP-Installed 

















With this procedure, if any upgrade appears, all you have to do is to read the generated list of 
what files were added or changed by the program and remove them manually from your system 
before installing the new software. Related to our example above, we use the /root directory of 
the system to stock all generated list files. 
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Compiling - Optimizing & Installing OpenLDAP 

Below are the required steps that you must make to compile and optimize the OpenLDAP 
Lightweight Directory Access Protocol (LDAP) server software before installing it into your Linux 
system. First off, we install the program as user 'root' so as to avoid authorization problems. 


Step 1 
Once you get the program from the main software site you must copy it to the /var/tmp 
directory and change to this location before expanding the archive. 


e These procedures can be accomplished with the following commands: 
[root@deep /]# cp openldap-version.tgz /var/tmp/ 
[root@deep /]# cd /var/tmp/ 

[root@deep tmp]# tar xzpf openldap-version.tgz 


Step 2 
In order to check that the version of OpenLDAP, which you are going to install, is an original and 
unmodified one, use the command described below and check the supplied signature. 


e §=6To verify the MD5 checksum of OpenLDAP, use the following command: 
[root@deep tmp]# md5sum openldap-version.tgz 


This should yield an output similar to this: 
€51b06374012b9e7077elf3e9f65ccd0 openldap-2.0.11.tgz 


Now check that this checksum is exactly the same as the one available into a file called 
“openldap-2.0.11.md5” on the OpenLDAP FTP site: 204.152.186.57 


Step 3 
To avoid security risks, we must create a new user account called “ldap” to be the owner of the 
OpenLDAP database files and daemon. 


e Tocreate this special OpenLDAP user account, use the following command: 
[root@deep tmp]# useradd -r -d /var/lib/ldap -s /bin/false -c "OpenLDAP 
Server" -u 55 ldap >/dev/null 2>&1 || 


The above command will create a null account, with no password, no valid shell, no files owned- 
nothing but a UID and a GID. 


Step 4 
After that, move into the newly created OpenLDAP source directory and perform the following 
steps to configure and optimize the software for your system. 


e To move into the newly created OpenLDAP source directory use the command: 
[root@deep tmp]# cd openldap-2.0.11/ 
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Step 5 
There are some source files to modify before going in configuration and compilation of the 
program; the changes allow us to fix some problems. 


e Edit the slap.hfile (vi +15 servers/slapd/slap.h) and change the lines: 


#include <sys/types.h> 
#include <ac/syslog.h> 
#include <ac/regex.h> 
#include <ac/socket.h> 
#include <ac/time.h> 
#include <ac/param.h> 


To read: 


#include <sys/types.h> 
#include <sys/socket .h> 
#include <ac/syslog.h> 
#include <ac/regex.h> 
#include <ac/socket.h> 
#include <ac/time.h> 
#include <ac/param.h> 


e §6Edit the openlidap.m4 file (vi +604 build/openldap.m4) and change the lines: 


{ 
return (void *) (p == NULL); 


sleep (30) ; 
return (void *) (p == NULL); 


e =©Edit the back-ldbm.h file (vi +23 servers/slapd/back-ldbm/back-1ldbm.h) 
and change the lines: 


























#endif 

#define DEFAULT_DB DIRECTORY LDAP_RUNDIR LDAP_DIRSEP "openldap-ldbm" 
#define DEFAULT_MODE 0600 

To read: 

#endif 

#define DEFAULT_DB DIRECTORY "/var/1lib/ldap" 

#define DEFAULT_MODE 0600 
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Step 6 
Once the required modifications have been made in the related source files of OpenLDAP, it is 
time configure and optimize it for our system. 


e Toconfigure and optimize OpenLDAP use the following compilation lines: 
Cc="gcec" \ 
CFLAGS="—-03 -march=i686 -mcpu=i686 -funroll-loops -fomit-frame-pointer —- 
D_REENTRANT -fPIC" \ 
./configure \ 
--prefix=/usr \ 
--libexecdir=/usr/sbin \ 
--sysconfdir=/etc \ 
--localstatedir=/var/run \ 
--mandir=/usr/share/man \ 
--disable-debug \ 
--disable-ipv6é \ 
--enable-crypt \ 
--with-tls \ 
—--without-threads 


This tells OpenLDAP to set itself up for this particular configuration setup with: 


- Disable debugging support to improve performance. 

- Disable TPv6 support. 

- Enable crypt(3) passwords support. 

- Enable and include TLS/SSL encryption support into the program. 
- Disable threads support for OpenLDAP on the system. 








NOTE: The default installation of OpenLDAP assumes an LDBM backend database, so if you want 
to configure another type of backend database, you must specify it during configuration and 
compilation time. For a SHELL backend database you must add the “--enable-shel1” option 
and for a PASSWD backend database which can be used as replacement for NIS service, you 
must add the “--enable-passwd” option in your configuration lines. 





The compile options we choose here assume that you want to set up an LDBM backend 
database. For the other type of backend database, you must add in your configuration lines the 
required options. 





Step 7 

Now, we must make a list of all existing files on the system before installing the software, and one 
afterwards, then compare them using the dif€ utility tool of Linux to find out what files are placed 
where and finally install OpenLDAP Lightweight Directory Access Protocol (LDAP) server. 


root@deep openldap-2.0.11]# make depend 

root@deep openldap-2.0.11]# make 

root@deep openldap-2.0.11]# ed tests/ 

root@deep tests]# make test 

root@deep tests]# ed 

root@deep /root]# find /* > OpenLDAP1 

root@deep /root]# cd /var/tmp/openldap-2.0.11/ 

root@deep openldap-2.0.11]# make install 

root@deep openldap-2.0.11]# install -d -m 700 /var/1lib/ldap 
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root@deep openldap-2. 
root@deep openldap-2. 
root@deep openldap-2. 
root@deep openldap-2. 
root@deep openldap-2. 
root@deep openldap-2. 
root@deep openldap-2. 
root@deep openldap-2. 
root@deep openldap-2. 


rm -rf /var/run/openldap-—ldbm 

chown -R ldap.ldap /var/lib/ldap/ 
rm -£ /etc/openldap/*.default 

rm -£ /etc/openldap/schema/*.default 
strip /usr/lib/liblber.a 

strip /usr/lib/liblber.so.2.0.5 
strip /usr/lib/libldap.a 

strip /usr/lib/libldap.so.2.0.5 
strip /usr/lib/libldap_r.a 
root@deep openldap-2. strip /usr/1lib/libldap_r.so.2.0.5 
root@deep openldap-2. /sbin/ldconfig 

root@deep openldap-2.0.11 cd 

root@deep /root]# find /* > OpenLDAP2 

root@deep /root]# diff OpenLDAP1 OpenLDAP2 > OpenLDAP-Installed 


CO Se O'S) (OO Oo OO OS 
PRPRPRPRPRPRPRP REP 




















The make depend command will build and make the necessary dependencies of different files, 
make will compiles all source files into executable binaries, and then make instal11 will installs 
the binaries and any supporting files into the appropriate locations. 


The make test command under the subdirectory /tests will do some important tests to verify 
the functionality of your OpenLDAP server before the installation. If any of the tests fail, you'll 
need to FIXE the problems before continuing the installation. 


The strip command will discard all symbols from the object files. This means that our library 
files will be smaller in size and will improve the performance hit to the program since there will be 
fewer lines to be read by the system when it uses the libraries. 


Step 8 

Once the configuration, optimization, compilation, and installation of the Lightweight Directory 
Server software has been accomplished, we can free up some disk space by deleting the 
program tar archive and the related source directory since they are no longer needed. 


e Todelete OpenLDAP and its related source directory, use the following commands: 
[root@deep /]# cd /var/tmp/ 
[root@deep tmp]# rm -rf openldap-version/ 
[root@deep tmp]# rm -f openldap-version.tgz 


The rm command as used above will remove all the source files we have used to compile and 
install OpenLDAP. It will also remove the OpenLDAP compressed archive from the /var/tmp 
directory. 


Configuring OpenLDAP 


After OpenLDAP has been built and installed successfully in your system, your next step is to 
configure and customize its different configuration files. This is an easy task since there are just 
two files related to OpenLDAP: 


¥ /etc/openldap/slapd.conf (The OpenLDAP Configuration File) 
¥ /etc/rce.d/init.d/ldap (The OpenLDAP Initialization File) 
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/etc/openldap/slapd.conf: The OpenLDAP Configuration File 

The /etc/openldap/slapd.conf file is the main configuration file for the stand-alone slapd 
daemon and for all of the database back-ends. Options like: permission, password, database 
type, database location and so on can be configured in this file and will apply to the “slapd” 
daemon as a whole. 


In the example below we configure the slapd. conf file for an LDBM backend database. The text 
in bold are the parts of the script initialization file that must be customized and adjusted to satisfy 
our needs. 


Step 1 
The first thing to do before starting your Lightweight Directory Access Protocol (LDAP) server is to 
edit the slapd. conf file and change its contents to reflect your environment. 


e Edit the slapd.conf file (vi /etc/openldap/slapd.conf) and add/adjust the 
following information: 


See slapd.conf(5) for details on configuration options. 
This file should NOT be world readable. 


include /etc/openldap/schema/core.schema 


Define global ACLs to disable default read access. 








Do not enable referrals until AFTER you have a working directory 
service AND an understanding of referrals. 
referral ldap://root.openldap.org 


HHEPEEREEEEES REESE EERE REESE REE ERE EERE EERE EEG HE HEE HE HEH HH HE HF 
ldbm database definitions 
HHEPEEREEERES ERE EERE EERE REE REESE REE ERE EERE EEE HHH EEE HE HH EH HH EH HF 

















database 1ldbm 

readonly off 

suffix "dc=openna, dc=com" 

rootdn "cn=Manager, dc=openna, dc=com" 


Cleartext passwords, especially for the rootdn, should 

be avoided. Ss slappasswd(8) and slapd.conf(5) for details. 
Use of strong authentication encouraged. 

rootpw secret 





The database directory MUST exist prior to running slapd AND 
should only be accessable by the slapd/tools. Mode 700 recommended. 
directory /var/1lib/1dap 














ldbom indexed attribute definitions 
index uid pres,eq 

index cn,sn,uid pres,eq, approx, sub 
index objectClass eq 


# ldbm access control definitions 

defaultaccess read 

access to attr=userpassword 
by self write 
by dn="cn=Manager, dc=openna, dc=com" write 
by * compare 
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This tells slapd. conf file to set itself up for this particular configuration with: 


readonly off 

This directive puts the database into "read-only" mode. Any attempts to modify the database 
will return an "unwilling to perform" error. It is useful when you make you directory service 
available to the publics. 


suffix "dc=openna, dc=com" 
This directive specifies the Distinguished Name (DN) of the root of the sub tree you are trying to 
create. In other words, it indicates what entries are to be held by this database. 


rootdn "cn=Manager, dc=openna, dc=com" 

This directive specifies the Distinguished Name (DN) of the entry allowed to do anything on the 
LDAP directory. This DN is not subject to access control or administrative limit restrictions for 
operations on this database. The name entered here can be one that doesn’t actually exist in 
your password file /etc/passwd. 





rootpw secret 

This directive specifies the password that can be used to authenticate the super-user entry of the 
database. This is the password for the DN given above that will always work, regardless of 
whether an entry with the given DN exists or has a password. It’s important to avoid the use of 
clear text passwords here and to use a crypto password instead. 


directory /var/lib/ldap 

This directive specifies the directory where the database and associated indexes files of LDAP 
should reside. We must set this to /var/1ib/1dap because we created this directory earlier in 
the installation stage specifically to handle the backend database of LDAP. 


index uid pres,eq 

index cn,sn,uid pres,eq, approx, sub 

index objectClass eq 

These directives specify the index definitions you want to build and maintain for the given 
attribute in the database definition. The options we specifies in our slapd. conf example file as 
shown above, cause all indexes to be maintained for the cn, sn, and uid attributes (index 

cn, sn, uid); an equality (eq) indexes for the objectclass attribute (index objectclass eq). 
See your user manual for more information on these options. 


defaultaccess read 
access to attr=userpassword 

by self write 

by dn="cn=Manager, dc=openna, dc=com" write 

by * compare 
The last directives in the slapd. conf file relate to access control in LDAP directory. The access 
configuration file directive as shown above is used to control access to slapd daemon entries 
and attributes in the system. 





This example applies to all entries in the "dc=openna, dc=com" sub tree and mean that read 
access is granted to everyone <defaultaccess read>, and the entry itself can write all 
attributes, except for userpassword. The userpassword attribute is writable only by the 
specified cn entry (Manager), and comparable by everybody else. See your user manual for 
more information on these options. 
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Step 2 

Once you have set your preferences and environment into the slapd. conf file, it is important to 
change its default mode permission and owner to by the user (ldap) under which the Lightweight 
Directory Access Protocol (LDAP) server will runs. 


e Tochange the mode permission and owner of this file, use the following commands: 
[root@deep /]# chmod 600 /etc/openldap/slapd.conf 
[root@deep /]# chown ldap.ldap /etc/openldap/slapd.conf 


/etc/re.d/init.d/ldap: The OpenLDAP Initialization File 

The /etc/rce.d/init.d/ldap script file is responsible to automatically start and stop the 
slapd daemon of OpenLDAP on your system. Loading the daemon, as a standalone will 
eliminate load time and will even reduce swapping since non-library code will be shared. 


Step 1 
Create the ldap script file (touch /etc/rc.d/init.d/ldap) and add the following lines: 


!/bin/bash 


ldap This shell script takes care of starting and stopping 
ldap servers (slapd and slurpd). 


chkconfig: - 39 61 

description: LDAP stands for Lightweight Directory Access Protocol, used \ 
for implementing the industry standard directory services. 

processname: slapd 

config: /etc/openldap/slapd.conf 

pidfile: /var/run/slapd.pid 


Source function library. 
/etc/init.d/functions 








Source networking configuration and check that networking is up. 





if [ -r /etc/sysconfig/network ] ; then 
/etc/sysconfig/network 
[ S{NETWORKING} = "no" ] && exit 0 
fi 


slapd=/usr/sbin/slapd 
slurpd=/usr/sbin/slurpd 

[ -x S${slapd} ] || exit 0 
#[ -x S{slurpd} ] || exit 0 


RETVAL=0 





function start() { 
# Start daemons. 
echo -n S"Starting slapd: " 
if grep -q *TLS /etc/openldap/slapd.conf ; then 
daemon ${slapd} -u ldap -h '"ldap:/// ldaps:///"' 


























RETVAL=S? 

else 
daemon S{slapd} -u ldap 
RETVAL=S? 

fi 

echo 

if [| SRETVAL -eq 0 J; then 
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if grep -q "*replogfile" /etc/openldap/slapd.conf; 














echo -n S"Starting slurpd: " 
daemon ${slurpd} 
RETVAL=$? 
echo 
£4 
fi 
[ SRETVAL -eq 0 ] && touch /var/lock/subsys/ldap 
return SRETVAL 
} 
function stop() { 
# Stop daemons. 
echo -n S"Stopping slapd: " 
killproc S${slapd} 
RETVAL=$? 
echo 





if [ SRETVAL -eq 0 ]; then 





if grep -q "*‘replogfile" /etc/openldap/slapd.conf; 





then 
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echo -n S$"Stopping slurpd: " 
killproc ${slurpd} 
RETVAL=$? 
echo 
fi 
fa: 
[ SRETVAL -eq 0 ] && rm -f /var/lock/subsys/ldap /var/run/slapd.args 





return SRETVAL 


} 


# S how we wer 





called. 





case "S1" in 
start) 
start 
a 
stop) 
stop 
a 
status) 
status ${ 


if grep -q "*replogfile" /etc/openldap/slapd.conf ; 


statu 
fi 
it 
restart) 
stop 
start 
it 


reload) 


slapd} 


s S{slurpd} 


killall -HUP S${slapd} 


RETVAL=$ ? 





if [ SRETVAL -eq 0 ]; then 





if grep -q "*replogfile" /etc/openldap/slapd.conf; 


killall -HUP ${slurpd} 


R 
fi 
EL 
ii 


condrestart) 


ETVAL=$? 





if [ -f£ /var/lock/subsys/ldap ] ; then 


stop 
Sslart 
fi 


then 


then 
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mr 


echo S"Usage: $0 {start|stop|restart|status|condrestart}" 
RETVAL=1 





exit SRETVAL 





Step 2 

Once the idap script file has been created, it is important to make it executable, change its 
default permissions, create the necessary links and start it. Making this file executable will allow 
the system to run it, changing its default permission is to allow only the root user to change this 
file for security reasons, and creation of the symbolic links will let the process control initialization 
of Linux, which is in charge of starting all the normal and authorized processes that need to run at 
boot time on your system, to start the program automatically for you at each reboot. 


e To make this script executable and to change its default permissions, use the commands: 
root@deep / chmod 700 /etc/re.d/init.d/ldap 
root@deep / chown 0.0 /etc/rce.d/init.d/ldap 


e Tocreate the symbolic rc.d links for 1dap, use the following commands: 
root@deep / chkconfig --add ldap 
root@deep / chkconfig --level 345 ldap on 


e Tostart OpenLDAP software manually, use the following command: 
root@deep / /etc/re.d/init.d/ldap start 
Starting slapd: [OK] 














Step 3 
Once the Lightweight Directory Access Protocol (LDAP) server has been started, it’s time to verify 
if is running and correctly configured. 


e Todo it, we will run a search against it with its ldapsearch command utility: 
[root@deep /]# ldapsearch -x -b '' -s base ' (objectclass=*) ' 
namingContexts 


Note the use of single quotes around command parameters to prevent special characters from 
being interpreted by the shell. 


If everything runs as espected, this should return: 
version: 2 


# 

# filter: (objectclass=*) 

# requesting: namingContexts 
# 


# 

dn: 

namingContexts: dc=openna, dc=com 
# search result 

search: 2 


result: 0 Success 


# numResponses: 2 
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# numEntries: 1 


Congratulations!, your Lightweight Directory Access Protocol (LDAP) server is working. 








NOTE: All software we describe in this book has a specific directory and subdirectory in the tar 
compressed archive named floppy-2.0.tgz containing configuration files for the specific 
program. If you get this archive file, you wouldn’t be obliged to reproduce the different 
configuration files manually or cut and paste them to create or change your configuration files. 
Whether you decide to copy manually or get the files made for your convenience from the archive 
compressed files, it will be to your responsibility to modify them to adjust for your needs, and 
place the files related to this software to the appropriate places on your server. The server 
configuration file archive to download is located at the following Internet address: 
ftp://ftp.openna.com/ConfigFiles-v2.0/floppy-2.0.tgz. 





Running OpenLDAP in a chroot jail 

This part focuses on preventing OpenLDAP from being used as a point of break-in to the system 
hosting it. OpenLDAP by default runs as a non-root user, which will limit any damage to what 
can be done as a normal user with a local shell. Of course, allowing what amounts to an 
anonymous guest account falls rather short of the security requirements for the OpenLDAP 
servers, so an additional step can be taken - that is, running OpenLDapP in a chroot jail. 


The main benefit of a chroot jail is that the jail will limit the portion of the file system the daemon 
can see to the root directory of the jail. Additionally, since the jail only needs to support 
OpenLDAP, the programs available into the jail can be extremely limited. Most importantly, there 
is no need for setuid-root programs, which can be used to gain root access and break out of the 
jail. By running OpenLDAP ina chroot jail you can improve the security significantly in a Unix 
environment. 
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OpenLDAP in chroot jail 






Our chroot jail that host OpenLDAP 
Lightweight Directory Access Protocol 
Server and owned by the user "Idap” 








Our file system on Linux 


This is our chroot jail bubble, which handle a small copy of our 
Linux file system structure for OpenLDAP 
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Necessary steps to run OpenLDAP in a chroot jail: 

What you're essentially doing is creating a skeleton root file system with enough components 
necessary (directories, libraries, files, etc.) to allow Unix to do a chroot when the OpenLDAP 
daemon starts. 


Step 1 

The first step to do for running OpenLDAP in a chroot jail will be to set up the chroot environment, 
and create the root directory of the jail. We've chosen /chroot /openldap for this purpose 
because we want to put this on its own separate file system to prevent file system attacks. Early 
in our Linux installation procedure we created a special partition /chroot for this exact purpose. 














root@deep / /etc/re.d/init.d/ldap stop € Only if openLDAP daemon already run. 
Stopping slapd: [OK] 

root@deep / mkdir /chroot/openldap 

root@deep / mkdir /chroot/openldap/dev 
root@deep / mkdir /chroot/openldap/1lib 
root@deep / mkdir /chroot/openldap/etc 
root@deep / mkdir -p /chroot/openldap/usr/share 
root@deep / mkdir -p /chroot/openldap/usr/lib 
root@deep / mkdir -p /chroot/openldap/usr/sbin 
root@deep / mkdir -p /chroot/openldap/var/lib 
root@deep / mkdir -p /chroot/openldap/var/run 


We need all of the above directories because, from the point of the chroot, we're sitting at “/” and 
anything above this directory is inaccessible. 


Step 2 

After that, it is important to move the main configuration directory, all configuration files, the 
database directory and the slapd binary program of the Lightweight Directory Access Protocol 
(LDAP) server to the chroot jail then create the special devices /dev/null and /dev/urandom 
which is/are absolutely require by the system to work properly. Note that /dev/urandomn is 
required only if you use TLS/SSL support with OpenLDAP. 


[root@deep /]# mv /etc/openldap /chroot/openldap/etc/ 

[root@deep /]# mv /usr/share/openldap /chroot/openldap/usr/share/ 
[root@deep /]# mv /var/lib/ldap /chroot/openldap/var/1lib/ 

[root@deep /]# mv /usr/sbin/slapd /chroot/openldap/usr/sbin/ 
[root@deep /]# mknod /chroot/openldap/dev/null c 1 3 

[root@deep /]# chmod 666 /chroot/openldap/dev/null 

[root@deep /]# mknod /chroot/openldap/dev/urandom c 1 9 € Only for TLS/SSL. 


Step 4 

This step is required only if you have compiled OpenLDAP with TLS/SSL support. In this case, 
you must recreate a small copy of the /usr/share/ss1 directory with certs and private 
directories which handles the private and public keys of OpenLDAP to the chroot jail environment. 


e These procedures can be accomplished with the following commands: 
[root@deep /]# mkdir -p /chroot/openldap/usr/share/ssl 
[root@deep /]# ed /usr/share/ 
[root@deep share]# cp -r ssl/certs /chroot/openldap/usr/share/ss1/ 
[root@deep share]# cp -r ssl/private /chroot/openldap/usr/share/ss1/ 
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WARNING: If you have other private and public keys related to other programs and applications 
into the certs and private directories, please don’t copy them to the jail environment. Only 
copy the private and public keys related to OpenLDAP, which are supposed to be called 
“Idap.crt” and “ldap.key” respectively. 





Step 5 

Now, we must find the shared library dependencies of slapd binary and install them into the 
chroot structure. Use the ldd /chroot/openldap/usr/sbin/slapd command to find out 
which libraries are needed. The output (depending on what you’ve compiled with OpenLDAP) will 
be something similar to: 


e To find the shared library dependencies of slapd, execute the following command: 
[root@deep /]# ldd /chroot/openldap/usr/sbin/slapd 
libgdbm.so.2 => /usr/lib/libgdbm.so.2 (0x4001b000) 
libcrypt.so.1 => /lib/libcrypt.so.1 (0x40021000) 
libresolv.so.2 => /lib/libresolv.so.2 (0x4004e000) 
libc.so.6 => /lib/libc.so.6 (0x40060000) 
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) 


What we can see here is the fact that depending of what programs have been compiled and 
included with OpenLDAP, the shared library dependencies may differ. 


Step 6 
Once the required libraries have been identified, copy them to the appropriate location into the 
chroot jail. In our example these are the shared libraries identified above. 


[root@deep /]# cp /usr/lib/libgdbm.so.2 /chroot/openldap/usr/lib/ 
[root@deep /]# cp /lib/libcrypt.so.1 /chroot/openldap/1lib/ 
[root@deep /]# ep /lib/libresolv.so.2 /chroot/openldap/1lib/ 
[root@deep /]# ep /1lib/libc.so.6 /chroot/openldap/lib/ 

[root@deep /]# strip -R .comment /chroot/openldap/usr/1lib/* 


You'll also need the following extra libraries for some network functions, like resolving: 


[root@deep /]# cp /1lib/libnss_compat* /chroot/openldap/1lib/ 
[root@deep /]# cp /1lib/libnss_dns* /chroot/openldap/lib/ 
[root@deep /]# cp /lib/libnss_files* /chroot/openldap/1lib/ 
[root@deep /]# strip -R .comment /chroot/openldap/1lib/* 








NOTE: The “strip -R .comment” command will remove all the named section “. comment” 
from the libraries files under the /usr/1ib and /1ib directory of the chroot jail and will make 
them smaller in size to help in performance of them. 
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Step 7 

Now we need to copy the passwd and group files inside the /chroot/openldap/etc 
directory. Next, we'll remove all entries except for the user that openldap runs as in both files 
(passwd and group). 


[root@deep /]# cp /etc/passwd /chroot/openldap/etc/ 
[root@deep /]# cp /etc/group /chroot/openldap/etc/ 


e Edit the passwd file under the chroot jail (vi /chroot/openldap/etc/passwd) and 
delete all entries except for the user openldap run as (in our configuration, it’s “ldap”): 


ldap:x:55:55:OpenLDAP Server:/var/lib/ldap:/bin/false 


e Edit the group file under the chroot jail (vi /chroot/openldap/etc/group) and 
delete all entries except the group openldap run as (in our configuration it’s “ldap”): 


ldap:x:55: 


Step 8 
You will also need /etc/resolv.conf, /etc/nsswitch.conf, /etc/localtime, and 
/etc/hosts files in your chroot jail structure. 


[root@deep /]# cp /etc/resolv.conf /chroot/openldap/etc/ 
[root@deep /]# cp /etc/nsswitch.conf /chroot/openldap/etc/ 
[root@deep /]# cp /etc/localtime /chroot/openldap/etc/ 
[root@deep /]# ep /etc/hosts /chroot/openldap/etc/ 


Step 9 
Now we must set some files in the chroot jail directory immutable for better security. 


e These procedures can be accomplished with the following commands: 
root@deep /]# cd /chroot/openldap/etc/ 

root@deep etc i 
root@deep etc 


] 

]# chattr +i group 
root@deep etc] 

] 

] 


# 

# chattr +i resolv.conf 

# chattr +i hosts 

# chattr +i nsswitch.conf 


root@deep etc 
root@deep etc 


[ 
[ 
[ 
[ 
[ 
[ 








WARNING: Don’t forget to remove the immutable bit on these files if you have some modifications 
to bring to them with the command “chattr -i”. 





Step 10 

The default 1dap initialization script file of OpenLDAP starts the daemon “slapa” and/or 
“slurpd” outside the chroot jail. We must change it now to start slapd and or slurpd from the 
chroot jail environment. 


Since there are many lines to modify from the original initialization script file of OpenLDAP to 
make it start in the jail environment, | decided to make a new initialization file as shown below. 
Each line in bold are the one that are different from the original script file. In this way you'll be 
able to see how | made it. 
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Edit the ldap script file (vi /etc/rc.d/init.d/ldap) and change the following lines: 
!/bin/bash 


ldap This shell script takes care of starting and stopping 
ldap servers (slapd and slurpd) in chroot jail. 


chkconfig: - 39 61 

description: LDAP stands for Lightweight Directory Access \ 
Protocol, used for implementing the industry standard \ 
directory services. 

processname: slapd 

# config: /chroot/openldap/etc/openldap/slapd.conf 

pidfile: /var/run/slapd.pid 


Source function library. 
/etc/init.d/functions 








Source networking configuration and check that networking is up. 





if [ -r /etc/sysconfig/network ] ; then 
/etc/sysconfig/network 
[ S{NETWORKING} = "no" ] && exit 0 
fi 


slapd=/chroot/openldap/usr/sbin/slapd 
slurpd=/chroot/openldap/usr/sbin/slurpd 
[ -x S${slapd} ] || exit 0 

#[ -x S{slurpd} ] || exit 0 


RETVAL=0 





function start() { 
# Start daemons. 
echo -n S"Starting slapd: " 
if grep -q “TLS /chroot/openldap/etc/openldap/slapd.conf ; then 
daemon ${slapd} -u ldap -r /chroot/openldap/ —-h '"ldap:/// 




















ldaps:///"' 

RETVAL=$? 

else 
daemon ${slapd} -u ldap -r /chroot/openldap/ 
RETVAL=$? 

fi 

echo 

if [ SRETVAL -eq 0 J; then 





if grep -q "“replogfile" 
/chroot/openldap/etc/openldap/slapd.conf; then 
echo -n S"Starting slurpd: " 
daemon ${slurpd} -r /chroot/openldap/ 
RETVAL=$? 
echo 





fi 
fi 
[ SRETVAL -eq 0 ] && touch /var/lock/subsys/ldap 
return SRETVAL 








} 


function stop() { 
# Stop daemons. 
echo -n S"Stopping slapd: " 
killproc S${slapd} 
RETVAL=$? 
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echo 
if [| SRETVAL -eq 0 J; then 
if grep -q "“*replogfile" 





/chroot/openldap/etc/openldap/slapd.conf; then 


echo -n S"Stopping slurpd: 
killproc ${slurpd} 
RETVAL=$? 

echo 





fi 
fi 


[ SRETVAL -eq 0 ] && rm -f /var/lock/subsys/ldap 





/var/run/slapd.args 
return SRETVAL 





} 


# S how we were called. 
case "S1" in 
start) 
start 





a 
stop) 
stop 
aa 
status) 
status ${slapd} 
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if grep -q "“replogfile" /chroot/openldap/etc/openldap/slapd.conf 


; then 
status ${slurpd} 

fi 
a 

restart) 
stop 
start 
tr 

reload) 
killall -HUP S${slapd} 
RETVAL=S? 
if [| SRETVAL -eq 0 J; then 
if grep -q "“*replogfile" 








/chroot/openldap/etc/openldap/slapd.conf; then 


killall -HUP ${slurpd} 
RETVAL=S? 





fi 

fi 

‘7 

condrestart) 

if [ -f£ /var/lock/subsys/ldap ] ; 
stop 
start 

fi 


mr 


then 


echo $"Usage: $0 {start|stop|restart|status|condrestart}" 


RETVAL=1 





exit SRETVAL 
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Step 11 
Finally, we must test the new chrooted jail configuration of our Lightweight Directory Access 
Protocol (LDAP) server. 


e Start the new chrooted jail OpenLDAP with the following command: 
[root@deep /]# /etc/re.d/init.d/ldap start 
Starting slapd: [OK] 


e If you don't get any errors, do aps ax | grep slapd and see if we're running: 
[root@deep /]# ps ax | grep slapd 
26214 ? Ss 0:00 /chroot/openldap/usr/sbin/slapd -u ldap -r 
/chroot/openldap 


If so, lets check to make sure it's chrooted by picking out its process number and doing 1s -la 
/proc/that_process_number/root/. 


[root@deep /]# 1s -la /proc/26214/root/ 


If you see something like: 
dev 
ete 
lib 
usr 
var 


Congratulations! Your Lightweight Directory Access Protocol (LDAP) server in chroot jail is 
working. 


Running OpenLDAP with TLS/SSL support 

This section applies only if you want to run OpenLDAP through SSL connection. Finally, the new 
release of OpenLDAP supports TLS/SSL encryption protocol. This is a very good thing in security 
area and especially if we remember that in the pass we were complained to hack and play with 
many poor external program to enable this support into OpenLDAP. Now time is different and as 
you'll see later in this section, enabling OpenLDAP to support SSL protocol is far easier than 
before. 


Below | show you how to set up a certificate to use with OpenLDAP, the principle is the same as 
for creating a certificate for a Web Server (refer to OpenSSL chapter if you have problem creating 
the certificates). 


Step 1 

First you have to know the Fully Qualified Domain Name (FQDN) of the Lightweight Directory 
Access Protocol (LDAP) Server for which you want to request a certificate. When you want to 
access your Lightweight Directory Access Protocol (LDAP) Server through 1dap.mydomain.com 
then the FQDN of your Lightweight Directory Server is 1dap.mydomain.com. 
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Step 2 
Second, select five large and relatively random files from your hard drive (compressed log files 
are a good start) and put them under your /usr/share/ss1 directory. These will act as your 


e To select five random files and put them under /usr/share/ss1, use the commands: 
[root@deep /]# cp /var/log/boot.log /usr/share/ssl/random1 
[root@deep /]# cp /var/log/cron /usr/share/ss1/random2 
[root@deep /]# cp /var/log/dmesg /usr/share/ssl/random3 
[root@deep /]# cp /var/log/messages /usr/share/ssl/random4 
[ /)# 


root@deep cp /var/log/secure /usr/share/ssl1/random5 


Step 3 

Third, create the RSA private key protected with a pass-phrase for your OpenLDAP Server. The 
command below will generate 1024 bit RSA Private Key and stores it in the file ldap. key. It will 
ask you for a pass-phrase: use something secure and remember it. Your certificate will be 
useless without the key. If you don't want to protect your key with a pass-phrase (only if you 
absolutely trust that server machine, and you make sure the permissions are carefully set so only 
you can read that key) you can leave out the —des3 option below. 


e To generate the Key, use the following command: 
[root@deep /]# ed /usr/share/ss1/ 
[root@deep ssl]# openssl genrsa -des3 -rand 
random1: random2:random3:random4:random5 -out ldap.key 1024 
123600 semi-random bytes loaded 
Generating RSA private key, 1024 bit long modulus 


e is 65537 (0x10001) 
Enter PEM pass phrase: 
Verifying password — Enter PEM pass phrase: 
































WARNING: Please backup your ldap. key file, and remember the pass-phrase you had to enter, 
at a secure location. A good choice is to backup this information onto a diskette or other 
removable media. 





Step 4 

Finally, generate a Certificate Signing Request (CSR) with the server RSA private key. The 
command below will prompt you for the x. 509 attributes of your certificate. Remember to give 
the name 1dap.mydomain.com when prompted for ‘Common Name’. Do not enter your personal 
name here. We are requesting a certificate for a Lightweight Directory Access Protocol (LDAP) 
Server, so the Common Name has to match the FQDN of your website. 


e To generate the CSR, use the following command: 

[root@deep ssl]# openssl req -new -key ldap.key -out ldap.csr 

Using configuration from /usr/share/ssl/openssl.cnf 

Enter PEM pass phrase: 

You are about to be asked to enter information that will be incorporated 
into your certificate request. 
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What you are about to enter is what is called a Distinguished Name or a 
DN. 

There are quite a few fields but you can leave some blank 

For some fields there will be a default value, 

If you enter '.', the field will be left blank. 

Country Name (2 letter code) [CA]: 

State or Province Name (full name) [Quebec]: 

Locality Name (eg, city) [Montreal]: 

Organization Name (eg, company) [OpenNA.com]: 

Organizational Unit Name (eg, section) [OpenNA.com LDAP Directory 
Server]: 

Common Name (eg, YOUR name) [ldap.openna.com]: 

Email Address [noc@openna.com] : 














Pleas nter the following 'extra'’ attributes 
to be sent with your certificate request 

A challenge password []:. 

An optional company name []:. 











WARNING: Make sure you enter the FQDN (Fully Qualified Domain Name) of the server when 
OpenSSL prompts you for the “CommonName’” (i.e. when you generate a CSR for a Lightweight 
Directory Server which will be later accessed via 1dap.mydomain.com, enter 
ldap.mydomain.com here). 





After generation of your Certificate Signing Request (CSR), you could send this certificate to a 
commercial Certifying Authority (CA) like Thawte or Verisign for signing. You usually have to post 
the CSR into a web form, pay for the signing, await the signed Certificate and store it into an 
ldap.crt file. The result is then a real Certificate, which can be used for OpenLDAP. 


Step 5 

You are not obligated to send your Certificate Signing Request (CSR) to a commercial Certifying 
Authority (CA) for signing. In some cases and with OpenLDAP Directory Server you can become 
your own Certifying Authority (CA) and sign your certificate by yourself. In the step below, | 
assume that your CA keys pair, which are required for signing certificate by yourself, already exist 
on the server, if this is not the case, please refer to the chapter related to OpenSSL in this book 
for more information about how to create your CA keys pair and become your own Certifying 
Authority (CA). 


e To sign server cSR's in order to create real SSL Certificates, use the following command: 
[root@deep ssl]# /usr/share/ssl/misc/sign.sh ldap.csr 
CA signing: ldap.csr -> ldap.crt: 
Using configuration from ca.config 
Enter PEM pass phrase: 
Check that the request matches the signature 
Signature ok 
The Subjects Distinguished Name is as follows 






























































countryName :PRINTABLE: 'CA' 

stateOrProvinceName PRINTABLE: 'Quebec' 

localityName :PRINTABLE: 'Montreal' 

organizationName :PRINTABLE: 'OpenNA.com' 
organizationalUnitName:PRINTABLE: 'OpenNA.com LDAP Directory Server' 
commonName :PRINTABLE: 'ldap.openna.com' 

emailAddress : IASSTRING: 'noc@openna.com' 

Certificate is to be certified until Mar 15 07:15:45 2002 GMT (365 days) 


602 





OpenLDAP }2 





CHAPTER |5 
Sign the certificate? [y/n]:y 
1 out of 1 certificate requests certified, commit? [y/nly 
Write out database with 1 new entries 
Data Base Updated 
CA verifying: ldap.crt <-> CA cert 
ldap.crt: OK 
This signs the CSR and results ina ldap.crt file. 
Step 6 
Now, we must place the certificates files (Idap.key and ldap.crt) to the appropriate 
directories and change their default permission modes to be (0400 /-r-------- ), owned by the 


user called ‘ldap’ for OpenLDAP to be able to find and use them when it will start its daemon. 


e To place the certificates into the appropriate directory, use the following commands: 
[root@deep ssl]# mv ldap.key private/ 
[root@deep ssl]# mv ldap.crt certs/ 
[root@deep ssl]# chmod 400 private/ldap.key 
[root@deep ssl]# chmod 400 certs/ldap.crt 
[root@deep ssl]# chown ldap.ldap private/ldap.key 
[root@deep ssl]# chown ldap.ldap certs/ldap.crt 
[root@deep ssl]# rm -f£ ldap.csr 


First we move the 1dap.key file to the private directory and the ldap.crt file to the certs 
directory. After that we change the permission mode and ownership of both certificates to be only 
readable and owned by the OpenLDAP user called ‘ldap’ for security reasons. Finally we remove 
the 1dap.csr file from our system since it is no longer needed. 


Step 7 

To allow TLS/SSL-enabled connections with OpenLDAP, we must specify two new options into 
the slapd.conf file. The text in bold are the parts of the lines that must be customized and 
adjusted to satisfy your needs. 


e Edit the slapd.conf file (vi /etc/openldap/slapd.conf), and add the following 
lines: 


See slapd.conf(5) for details on configuration options. 
This file should NOT be world readable. 


include /etc/openldap/schema/core.schema 


Define global ACLs to disable default read access. 





Do not enable referrals until AFTER you have a working directory 
service AND an understanding of referrals. 
referral ldap: //root.openldap.org 








# Enable TLS/SSL connections with OpenLDAP 
TLSCertificateFile /usr/share/ssl/certs/ldap.crt 
TLSCertificateKeyFile /usr/share/ssl/private/ldap.key 


PE HEE EH HE EH HE RHEE HE EEE EE EE EE EE PE EE EE EE EE EE EE BEE 


# ldbm database definitions 
HEHEHE EEE HERE HEHE HEHE HEE HEE HEE HEE HEE HEE HEE HEE HEE HEHE HEHE HEH 
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database ldbm 

readonly off 

suffix "dc=openna, dc=com" 

rootdn "cn=Manager, dc=openna, dc=com" 


Cleartext passwords, especially for the rootdn, should 

be avoided. S§S slappasswd(8) and slapd.conf(5) for details. 
Use of strong authentication encouraged. 

rootpw secret 





The database directory MUST exist prior to running slapd AND 
should only be accessable by the slapd/tools. Mode 700 recommended. 
directory /var/lib/ldap 














ldbm indexed attribute definitions 
index uid pres,eq 

index cn,sn,uid pres,eq, approx, sub 
index objectClass eq 


# ldbm access control definitions 

defaultaccess read 

access to attr=userpassword 
by self write 
by dn="cn=Manager, dc=openna, dc=com" write 
by * compare 





The TLSCertificateFile line specifies the file that contains the slapd server certificate, and 





the TLSCertificateKeyFile specifies the file that contains the slapd server private key that 
matches the certificate stored in the TLSCertificateFile file. 








NOTE: If you are running OpenLDAP in chroot jail environment, then the slapd. conf file will be 
located under /chroot/openldap/etc/openldap directory and not under /etc/openldap. 








The OpenLDAP TLS/SSL-enabled connections run by default on port 636. To allow external 
traffic through this port (636), we must add a new rule into our firewall script file for the 
Lightweight Directory Access Protocol (LDAP) server to accept external connections. 


Edit the iptables script file (vi /etc/rc.d/init.d/iptables), and add/check the 
following lines to allow OpenLDAP packets with TLS/SSL support to traverse the network: 





# OpenLDAP TLS server (636) 
# aren 











iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p tcp \ 
-s $IPADDR --source-port SUNPRIVPORTS \ 
—-destination-port 636 -j ACCEPT 



































iptables -A INPUT -i SEXTERNAL_INTERFACE -p tcp ! --syn \ 
--source-port 636 \ 
-d SIPADDR -—-destination-port SUNPRIVPORTS -—j ACCEPT 
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Where EXTERNAL_INTERFACE="eth0" # Internet connected interface 
Where IPADDR="207.35.78.8" # Your IP address for ethO 
Where UNPRIVPORTS="1024: 65535" # Unprivileged port range 
Step 9 


Finally, we must restart our OpenLDAP server and firewall for the changes to take effect. 


e Torestart OpenLDAP use the following command: 
[root@deep /]# /etc/re.d/init.d/ldap restart 
Stopping slapd: [OK] 
Starting slapd: [OK] 


e Torestart you firewall use the following command: 
[root@deep /]# /etc/re.d/init.d/iptables restart 
Shutting Firewalling: done 
Starting Firewalling: done 
done 








NOTE: With SSL support acctivated in OpenLDAP, the slapd daemon of the program will ask you 
during startup to enter the pass phrase of the certificate, therefore don’t forget it. 





Securing OpenLDAP 

This section deals especially with actions we can make to improve and tighten security under 
OpenLDAP Lightweight Directory Access Protocol (LDAP) server. The interesting points here are 
that we refer to the features available within the base installed program and not to any additional 
software. 


Using an encrypted root password 

With a default installation of OpenLDAP, clear text passwords for the rootdn are used. Use of 
strong authentication is encouraged through the use of the slappasswd command utility of the 
directory server. 


Below, | show you how to use an encrypted root password, which is a much better idea than 
leaving a plain text root password in the slapd. conf file. 


Step 1 

Our first action will be to use the slappasswd tool of OpenLDAP to generate hashed passwords. 
The utility will prompt you to enter, twice, the user password that you want it to generate in an 
encrypted form. The schemes that we must generate is a so called (CRYPT) and we specify it with 
the “—h” option during hashed password generation. 


[root@deep /]# /usr/sbin/slappasswd -h {CRYPT} 
New password: 

Re-enter new password: 

{CRYPT}SdmwctNoMkNgQ 


Here the generated “{ CRYPT} SdmwctNoMkNgQ” line is the one that we must copy into the 
/etc/openldap/slapd.conf file to replace the old clear text password for the rootdn. 
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Step 2 
Once we get the generated hashed password line for our root dn, we must edit the slapd. conf 
file and add it to the root pw line. 


e Edit the slapd.conf file (vi /etc/openldap/slapd.conf) and change the line: 


rootpw Secrev 
To read: 
rootpw {CRYPT} SdmwctNoMkNgQ 








NOTE: Use of hashed passwords does not protect passwords during protocol transfer. TLS or 
other eavesdropping protections should be in place before using LDAP simple bind. The hashed 
password values should be protected as if they were clear text passwords. 





Immunize important configuration files 

The immutable bit can be used to prevent one from accidentally deleting or overwriting a file that 
must be protected. It also prevents someone from creating a symbolic link to this file. Once your 
slapd.conf file has been configured, it’s a good idea to immunize it with command like: 


[root@deep /]# chattr +i /etc/openldap/slapd.conf 


or: 


[root@deep /]# chattr +i /chroot/openldap/etc/openldap/slapd.conf 


if you are running OpenLDAP in chroot jail environment. 


Optimizing OpenLDAP 

This section deals especially with actions we can make to improve and tighten performance of 
OpenLDAP Lightweight Directory Access Protocol (LDAP) server. Take a note that we refer to the 
features available within the base installed program. 


Get some fast ScsI hard disk 

One of the most important parts of optimizing OpenLDAP server as well as for the majority of all 
SQL database servers is the speed of your hard disk, the faster it is, the faster your database will 
run. Consider a SCSI disk with low seek times, like 4. 2ms, this can make all the difference, much 
greater performance can also be made with RAID technology. 


Skip the updating of the last access time 

As you're supposed to know now, the noatime attribute of Linux eliminates the need by the 
system to make writes to the file system for files. Mounting the file system where your OpenLDAP 
Lightweight Directory Access Protocol (LDAP) server live with the noatime attribute will avoid 
some disk seeks and will improve the performance of you directory server. 
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If you want to mount the file system of the OpenLDAP Lightweight Directory Access Protocol 
(LDAP) server with the noatime attribute, it’s important to create and install its databases in this 
partition. In our example, we have create this partition early in the chapter 2 of this book named 
“Linux Installation” and this partition is located on /var/1lib. 


Step 1 

To mount the file system of OpenLDAP Lightweight Directory Access Protocol (LDAP) server with 
the noatime option, you must edit the fstab file (vi /etc/fstab) and add into the line that 
refer to /var/1ib file system the noatime option after the defaults option as show below: 


e Edit the fstab file (vi /etc/fstab), and change the line: 





LABEL=/var/lib /var/lib ext2 defaults dr 2 
To read: 
LABEL=/var/1lib /var/1lib ext2 defaults, noatime 12 








NOTE: The line related to /var/1lib into your /etc/fstab file could be different from the one | 
show you above, this is just an example. Also, if you are running OpenLDAP in chroot jail 
environment, the file system to mount with the noatime option will be /chroot and not 
/var/lib. 





Step 2 
Once you have made the necessary adjustments to the /etc/fstab file, it is time to inform the 
Linux system about the modification. 


e This can be accomplished with the following commands: 
[root@deep /]# mount /var/lib -oremount 


Each file system that has been modified must be remounted with the command as shown above. 
In our example we have modified the /var/1ib file system and it is for this reason that we 
remount this file system with the above command. 


Step 3 
After you file system has been remounted, it is important to verify if the modification into the 
fstab file has been correctly applied to the Linux system. 


e You can verify if the modification has been correctly applied with the following command: 
[root@deep /]# cat /proc/mounts 





/dev/root / ext2 rw 0 0 
/proc /proc proc rw 0 0 
/dev/sdal /boot ext2 rw 0 0 
/dev/sdal10 /cache ext2 rw 0 0 
/dev/sda9 /chroot ext2 rw 0 0 
/dev/sda8 /home ext2 rw 0 0 
/dev/sdal3 /tmp ext2 rw 0 0 
/dev/sda7 /usr ext2 rw 0 0 
/dev/sdall /var ext2 rw 0 0 


/dev/sda12 /var/1lib ext2 rw,noatime 0 0 
none /dev/pts devpts rw 0 0 
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This command will show you all file system in your Linux server with parameters applied to them. 
If you see something like: 


/dev/sdal2 /var/lib ext2 rw,noatime 0 0 
Congratulations! 








NOTE: Look under chapter related to Linux Kernel in this book for more information about the 
noatime attribute and other tunable parameters. 





Further documentation 
For more details, there are several manual pages for OpenLDAP that you can read; below | show 
you just the most important: 

















man slapd (8) - Stand-alone LDAP Daemon 

man slapd.conf (5) - Configuration file for slapd, the stand-alone LDAP daemon 
man slurpd (8) - Standalone LDAP Update Replication Daemon 

man ud (1) - Interactive LDAP Directory Server query program 


$ man ldapd (8) - LDAP X.500 Protocol Daemon 

$ man ldapdelete (1) - LDAP delete entry tool 

$ man ldapfilter.conf (5) - Configuration file for LDAP get filter routines 

$ man ldapfriendly (5) - Data file for LDAP friendly routines 

$ man ldapmodify, ldapadd (1) - LDAP modify entry and Idap add entry tools 

$ man ldapmodrdn (1) - LDAP modify entry RDN tool 

$ man ldappasswd (1) - Change the password of an LDAP entry 

$ man ldapsearch (1) - LDAP search tool 

$ man ldapsearchprefs.conf (5)  - Configuration file for LDAP search preference routines 
$ man ldaptemplates.conf (5) - Configuration file for LDAP display template routines 
$ man ldif (5) - LDAP Data Interchange Format 

$ 

$ 

$ 

$ 


OpenLDAP Administrative Tools 
The commands listed below are some that we use often, but many more exist. Check the manual 
pages of OpenLDAP and documentation for more information. 


Creating an LDMB backend database 
There are two methods to create a database for LDAP, the first is off-line with the slapadd 
command utility and the other is on-line with the 1dapadd command utility. 


Usually you use the off-line method when you have many thousands of entries to insert into your 
database and the on-line method when you have only a small number of entries to put into your 

database. It is also important to note that the off-line method requires that slapd daemon is not 
running and the on-line method requires that slapd daemon of OpenLDAP is running. 


slapadd 

When you install OpenLDAP for the first time and have big entries to put in your backend 
database, it’s always a good idea to put all these information into a text file and add them to your 
backend database with the slapadd command utility. This command is used to create the LDMB 
backend database off-line. To do it, the first thing will be to create an LDIF (LDAP Data 
Interchange Format) input file containing a text representation of your entries. To summarize, the 
slapadd tool of OpenLDAP converts an LDIF file into an LDBM back-end database. 
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Step 1 

The text file named “datafiles” below can be used as an example file (of course, your real 
LDIF input file will handle much more information than this example). A blank line indicates that 
the entry is finished and that another entry is about to begin. 


e Create the datafiles file (touch /tmp/datafiles) and add as an example in this 
file the following lines: 





# Organization's Entry 

dn: dc=openna, dc=com 

dc: openna 

objectclass: dcObject 

objectclass: organization 

o: OpenNA.com Inc. 

# 

# Gerhard's Entry 

dn: cn=Gerhard Mourani, dc=openna, dc=com 
cn: Gerhard Mourani 

sn: Mourani 

objectclass: organizationalRole 
objectclass: organizationalPerson 

# 
# Ted's Entry 

dn: cn=Ted Nakad, dc=openna, dc=com 
cn: Ted Nakad 

sn: Nakad 

description: Agent & Sales Manager 
objectclass: organizationalRole 
objectclass: organizationalPerson 











The above entries shows you some very basic example about how to convert your information 
into LDIF files before adding them to your new backend directory. Consult the OpenLDAP 
documentation and especially good books for more information. 








NOTE: Before adding any objects under the database, you have to add an entry for your 
organization, first. This is done with the following entries in the above example. 


dn: dc=openna, dc=com 

dc: openna 

objectclass: dcObject 
objectclass: organization 
o: OpenNA.com Inc. 


Please note that these entries must be entered only one time to create your organization, after 
that all you have to do is to add additional information as we do for Gerhard’s and Ted’s. 





Step 2 
Once the LDIF input file containing our entries has been created, we must insert them into the 
Lightweight Directory Access Protocol (LDAP) server. 


e Toinsert the LDIF input file and create the database off-line, use the following command 


if OpenLDAP runs in no chroot jail environment: 
[root@deep /]# cd /tmp/ 
[root@deep tmp]# slapadd -1 datafiles 
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The “-1” option specifies the location of the LDIF input file (datafiles) containing the entries in 
text form to add. 


e Toinsert the LDIF input file and create the database off-line, use the following command 


if OpenLDAP runs in chroot jail environment: 

[root@deep /]# cd /tmp/ 

[root@deep tmp]# slapadd -1 datafiles -f 
/chroot/opendla/etc/openldap/slapd_chroot.conf 


The “—1” option specifies the location of the LDIF input file (datafiles) containing the entries in 
text form to add and the “—f£” option specifies where the slapd.conf configuration file reside. In 
our case and since the server runs in a chroot jail environment, this file is located under our jail 
structure and called slapd_chroot.conf, which is a copy of the original sLapd. conf file 
containing path of our chroot jail. 


To summarize, if you run OpenLDAP in chroot jail, you must have slpad.conf and 
slapd_chroot.conf files into /chroot/openldap/etc/openldap directory. The 
slapd.conf file is the original one and slapd_chroot.conf file is a modified copy of the 
original file containing the path of our chroot jail environment for the slapadd command utility of 
OpenLDAP to work off-line. 





Below is a working example of the content of the modified copy of slapd. conf file, which | 
called “slapd_chroot.conf”. Of course | suppose that your chroot jail reside under 
/chroot/openldap directory: 


See slapd.conf(5) for details on configuration options. 
This file should NOT be world readable. 


include /chroot/openldap/etc/openldap/schema/core.schema 


Define global ACLs to disable default read access. 





Do not enable referrals until AFTER you have a working directory 
service AND an understanding of referrals. 
referral ldap: //root.openldap.org 











Enable TLS/SSL connections with OpenLDAP 
TLSCertificateFile /chroot/openldap/usr/share/ssl/certs/ldap.cert 
TLSCertificateKeyFile /chroot/openldap/usr/share/ssl/private/ldap.key 


HHEPEEREEEREEEREE ERE EERE EERE ERR EERE REE ERE EGE EEE HE HEE HE HHH HE HH HE HF 
ldbm database definitions 
HHEPFEREEERESEEREE ERE EERE RE ERE RE EERE ERE EGE EEE HE HEE HHH EH HH EHF 

















database 1ldbm 

readonly off 

suffix "dc=openna, dc=com" 

rootdn "cn=Manager, dc=openna, dc=com" 


# Cleartext passwords, especially for the rootdn, should 

# be avoided. Ss slappasswd(8) and slapd.conf(5) for details. 
# Use of strong authentication encouraged. 

rootpw {CRYPT}SdmwctNoMkNgQ 





# The database directory MUST exist prior to running slapd AND 
# should only be accessable by the slapd/tools. Mode 700 recommended. 
directory /chroot/openldap/var/1lib/ldap 
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# ldbm indexed attribute definitions 
index default pres,eq 

index objectClass,uid 

index cn,sn eq, sub 


# ldbm access control definitions 

defaultaccess read 

access to attr=userpassword 
by self write 
by dn="cn=Manager, dc=openna, dc=com" write 
by * compare 











NOTE: The slapd daemon of OpenLDAP is not started in this creation mode. Be sure to replace 
all required information with the appropriate domain components of your domain name. 





ldapadd 

If the entries in your directory server are already created or if you have only a small amount of 
information to insert into your backend database, you'll prefer to use the 1dapadd command 
utility to do your job on-line. The 1dapadd utility is used to add entries to your directory while the 
LDAP server is running and expects input in LDIF (LDAP Data Interchange Format) form. 


Step 1 
For example, to add the “Europe Mourani” entry using the 1dapadd tool, you could create a 
file called “entries” with input in LDIF form into your /tmp directory. 





e Create the entries file (touch /tmp/entries) and add as an example in this file the 
following contents: 


# Organization's Specifications 
dn: dc=openna, dc=com 

dc: openna 

objectclass: dcObject 
objectclass: organization 

o: OpenNA.com Inc. 





# Europe's Entry 

dn: cn=Europe Mourani, dc=openna, dc=com 
cn: Europe Mourani 

sn: Mourani 

description: Marketing Representatif 
objectclass: organizationalRole 
objectclass: organizationalPerson 
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Step 2 
Once the entries file has been created, we must add its content into the OpenLDAP Lightweight 
Directory Access Protocol (LDAP) server. 


e To actually create the entry on-line in the backend database, use the following command: 
[root@deep /]# cd /tmp/ 

[root@deep tmp]# ldapadd -f entries -D "cn=Manager, dc=openna, dc=com" —W 
Enter LDAP Password : 

adding new entry "dc=openna, dc=com" 








adding new entry "cn=Europe Mourani, dc=openna, dc=com" 


The above command assumes that you have set your rootdn to "cn=Manager, dc=openna, 


dc=com" and rootpw to an encrypted root password. You will be prompted to enter the 
encrypted root password. 








NOTE: The slapd daemon of OpenLDAP is started in this creation mode. Be sure to replace all 
required information with the appropriate domain components of your domain name. 





ldapmodify 
Contrary to relational databases where data is constantly changed, the directory server contains 
information that is rarely modified once inserted. But, some times you need to modify information, 


and the ldapmodify tool will help you in your tasks. The 1dapmodify command allows you to 
modify entries on the backend directory server. 


Step 1 
Assuming that we want to replace the contents of the “Europe Mourani” entry’s description 
attribute with the new value “Marketing Representative”, the following steps will do it. 





e Create the lnew file (touch /tmp/i1new) and add as an example in this file the 
following contents: 


dn: cn=Europe Mourani, dc=openna, dc=com 
changetype: modify 

replace: description 

description: Marketing Representativ 








Step 2 


Once the inew file has been created, we must replace the entry in the OpenLDAP directory 
server with the one contained in this file (Lnew). 


e To modify the contents of backend database, use the following command: 

[root@deep /]# cd /tmp/ 

[root@deep tmp]# ldapmodify -f lnew -D 'cn=Manager, dc=openna, dc=com' —-W 
Enter LDAP Password: 

modifying entry "cn=Europe Mourani, dc=openna, dc=com" 
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OpenLDAP Users Tools 


The commands listed below are some that we use often, but many more exist. Check the manual 
pages of OpenLDAP and documentation for more information. 


ldapsearch 


The ldapsearch utility searches through the backend database of LDAP directory for 
information/entries you have requested. 


e Tosearch on LDAP directory for entries, use the following command: 
root@deep /]# ldapsearch -b ‘dc=openna, dc=com’ ‘cn=europe*’ 
version: 2 


filter: cn=europe* 
requesting: ALL 











Europe Mourani, dc=openna, dc=com 

dn: cn=Europe Mourani, dc=openna, dc=com 
cn: Europe Mourani 

sn: Mourani 

objectClass: organizationalRole 
objectClass: person 

description: Marketing Representativ 











# search result 
search: 2 
result: 0 Success 


# numResponses: 2 
# numEntries: 1 





This command will retrieve all entries and values for the name europe and will print the result to 
standard output in your terminal. 


Some possible uses of OpenLDAP software 
OpenLDAP can be used as: 


A Web Catalogue Server 
A White Pages Server 

A Certificate Server 

An Access Control Server 
A Network Name Server 


SONNE 


List of installed OpenLDAP files on your system 


> /etc/rc.d/init.d/Idap 

> /etc/openldap 

> /etc/openldap/Idap.conf 

> /etc/openldap/Idapfilter.conf 

> /etc/openldap/Idaptemplates.conf 

> /etc/openldap/Idapsearchprefs.conf 
> /etc/openldap/slapd.conf 

> /etc/openldap/schema 

> /etc/openldap/schema/corba.schema 
> /etc/openldap/schema/core.schema 
> /etc/openldap/schema/cosine.schema 


> /usr/share/man/man3/ldap_init_templates.3 
> /ust/share/man/man3/ldap_init_templates_buf.3 
> /ust/share/man/man3/ldap_free_templates.3 
> /usr/share/man/man3/ldap_first_disptmpl.3 
> /usr/share/man/man3/ldap_next_disptmpl.3 
> /usr/share/man/man3/ldap_oc2template.3 

> /usr/share/man/man3/ldap_tmplattrs.3 

> /usr/share/man/man3/ldap_first_tmplrow.3 

> /usr/share/man/man3/ldap_next_tmplrow.3 
> /usr/share/man/man3/ldap_first_tmplcol.3 

> /usr/share/man/man3/ldap_next_tmplcol.3 
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> /etc/openildap/schema/inetorgperson.schema 


> /etc/openldap/schema/java.schema 

> /etc/openldap/schema/krb5-kdc.schema 
> /etc/openldap/schema/misc.schema 
> /etc/openldap/schema/nadf.schema 

> /etc/openldap/schema/nis.schema 

> /etc/openldap/schema/openlidap.schema 
> /usr/bin/ud 

> /usr/bin/Idapsearch 

> /usr/bin/Idapmodify 

> /usr/bin/Idapdelete 

> /usr/bin/I\dapmodrdn 

> /usr/bin/Idapadd 

> /usr/bin/I\dappasswd 

> /ust/include/lber.h 

> /usr/include/lber_types.h 

> /usr/include/ldap.h 

> /usr/include/Idap_cdefs.h 

> /usr/include/Idap_features.h 

> /usr/include/Idap_schema.h 

> /ust/include/disptmpl.h 

> /usr/include/srchpref.h 

> /usr/lib/liblber.so.2.0.5 

> /usr/lib/libloer.so.2 

> /usr/lib/liblber.so 

> /usr/lib/liblber.la 

> /usr/lib/liblber.a 

> /usr/lib/libldap.so.2.0.5 

> /usr/lib/libldap.so.2 

> /usr/lib/libldap.so 

> /usr/lib/libldap.la 

> /usr/lib/libldap.a 

> /usr/lib/libldap_r.so.2.0.5 

> /usr/lib/libldap_r.so.2 

> /usr/lib/libldap_r.so 

> /usr/lib/libldap_r.la 

> /usr/lib/libldap_r.a 

> /ust/sbin/in.xfingerd 

> /usr/sbin/go500gw 

> /usr/sbin/go500 

> /ust/sbin/mail500 

> /usr/sbin/rp500 

> /ust/sbin/fax500 

> /usr/sbin/xrpcomp 

> /usr/sbin/rcpt500 

> /usr/sbin/maildap 

> /usr/sbin/slapd 

> /usr/sbin/slapadd 

> /usr/sbin/slapcat 

> /ust/sbin/slapindex 

> /ust/sbin/slappasswd 

> /usr/share/man/mant1/ud.1 

> /ust/share/man/man1/Idapdelete.1 

> /usr/share/man/man1/ldapmodify.1 

> /ust/share/man/man1/ldapadd. 1 

> /ust/share/man/man1/ldapmodrdn. 1 

> /usr/share/man/man1/ldappasswd. 1 

> /ust/share/man/man1/Idapsearch. 1 

> /ustr/share/man/man3/lber-decode.3 
> /usr/share/man/man3/ber_get_next.3 
> /usr/share/man/man3/ber_skip_tag.3 
> /usr/share/man/man3/ber_peek_tag.3 
> /ust/share/man/man3/ber_scanf.3 

> /usr/share/man/man3/ber_get_int.3 

> /usr/share/man/man3/ber_get_stringa.3 
> /ustr/share/man/man3/ber_get_stringb.3 
> /usr/share/man/man3/ber_get_null.3 
> /usr/share/man/man3/ber_get_enum.3 
> /usr/share/man/man3/ber_get_boolean.3 
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> /usr/share/man/man3/Idap_entry2text.3 

> /usr/share/man/man3/ldap_entry2text_search.3 
> /usr/share/man/man3/Idap_vals2text.3 

> /usr/share/man/man3/ldap_entry2html.3 

> /usr/share/man/man3/ldap_entry2html_search.3 
> /usr/share/man/man3/Idap_vals2html.3 

> /usr/share/man/man3/Idap_error.3 

> /usr/share/man/man3/Idap_perror.3 

> /usr/share/man/man3/ld_errno.3 

> /usr/share/man/man3/ldap_result2error.3 

> /usr/share/man/man3/Idap_errlist.3 

> /usr/share/man/man3/ldap_err2string.3 

> /ust/share/man/man3/ldap_first_attribute.3 

> /usr/share/man/man3/ldap_next_attribute.3 

> /usr/share/man/man3/Idap_first_entry.3 

> /usr/share/man/man3/ldap_next_entry.3 

> /usr/share/man/man3/ldap_count_entries.3 

> /usr/share/man/man3/Idap_friendly.3 

> /usr/share/man/man3/Idap_friendly_name.3 

> /usr/share/man/man3/Idap_free_friendlymap.3 
> /usr/share/man/man3/ldap_get_dn.3 

> /usr/share/man/man3/Idap_explode_dn.3 

> /usr/share/man/man3/ldap_explode_rdn.3 

> /usr/share/man/man3/Idap_dn2ufn.3 

> /usr/share/man/man3/Idap_getfilter.3 

> /usr/share/man/man3/Idap_init_getfilter.3 

> /ust/share/man/man3/ldap_init_getfilter_buf.3 
> /usr/share/man/man3/Idap_getfilter_free.3 

> /usr/share/man/man3/ldap_gettfirstfilter.3 

> /usr/share/man/man3/Idap_getnextfilter.3 

> /usr/share/man/man3/Idap_settilteraffixes.3 

> /ust/share/man/man3/ldap_build_filter.3 

> /usr/share/man/man3/ldap_get_values.3 

> /ust/share/man/man3/ldap_get_values_len.3 

> /ust/share/man/man3/ldap_value_free.3 

> /ust/share/man/man3/ldap_value_free_len.3 

> /ustr/share/man/man3/ldap_count_values.3 

> /ust/share/man/man3/Idap_count_values_len.3 
> /usr/share/man/man3/ldap_modify.3 

> /usr/share/man/man3/ldap_modify_s.3 

> /usr/share/man/man3/Idap_modify_ext.3 

> /ust/share/man/man3/ldap_modify_ext_s.3 

> /ust/share/man/man3/ldap_mods_free.3 

> /usr/share/man/man3/ldap_modrdn.3 

> /usr/share/man/man3/ldap_modrdn_s.3 

> /usr/share/man/man3/Idap_modrdn2.3 

> /ust/share/man/man3/ldap_modrdn2_s.3 

> /usr/share/man/man3/ldap_open.3 

> /usr/share/man/man3/Idap_init.3 

> /usr/share/man/man3/ldap_result.3 

> /usr/share/man/man3/Idap_msgfree.3 

> /usr/share/man/man3/ldap_msgtype.3 

> /usr/share/man/man3/Idap_msgid.3 

> /usr/share/man/man3/Idap_schema.3 

> /usr/share/man/man3/Idap_str2syntax.3 

> /usr/share/man/man3/ldap_syntax2str.3 

> /usr/share/man/man3/ldap_syntax2name.3 

> /usr/share/man/man3/ldap_syntax_free.3 

> /ust/share/man/man3/ldap_str2matchingrule.3 
> /usr/share/man/man3/ldap_matchingrule2str.3 
> /ust/share/man/man3/ldap_matchingrule2name.3 
> /usr/share/man/man3/Idap_matchingrule_free.3 
> /ust/share/man/man3/ldap_str2attributetype.3 
> /usr/share/man/man3/ldap_attributetype2str.3 
> /usr/share/man/man3/ldap_attributetype2name.3 
> /usr/share/man/man3/ldap_attributetype_free.3 
> /usr/share/man/man3/ldap_str2objectclass.3 

> /ust/share/man/man3/ldap_objectclass2str.3 

> /usr/share/man/man3/ldap_objectclass2name.3 
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> /usr/share/man/man3/ber_get_bitstring.3 

> /usr/share/man/man3/ber_first_element.3 

> /usr/share/man/man3/ber_next_element.3 

> /usr/share/man/man3/lber-encode.3 

> /usr/share/man/man3/ber_alloc_t.3 

> /usr/share/man/man3/ber_flush.3 

> /ust/share/man/man3/ber_printf.3 

> /usr/share/man/man3/ber_put_int.3 

> /usr/share/man/man3/ber_put_ostring.3 

> /usr/share/man/man3/ber_put_string.3 

> /usr/share/man/man3/ber_put_null.3 

> /usr/share/man/man3/ber_put_enum.3 

> /usr/share/man/man3/ber_start_set.3 

> /usr/share/man/man3/ber_put_seq.3 

> /usr/share/man/man3/ber_put_set.3 

> /usr/share/man/man3/lber-memory.3 

> /ust/share/man/man3/lber-types.3 

> /usr/share/man/man3/ldap.3 

> /usr/share/man/man3/ldap_abandon.3 

> /usr/share/man/man3/ldap_abandon_ext.3 

> /usr/share/man/man3/ldap_add.3 

> /usr/share/man/man3/ldap_add_s.3 

> /ustr/share/man/man3/Idap_add_ext.3 

> /usr/share/man/man3/ldap_add_ext_s.3 

> /usr/share/man/man3/ldap_bind.3 

> /usr/share/man/man3/ldap_bind_s.3 

> /usr/share/man/man3/ldap_simple_bind.3 

> /ust/share/man/man3/Idap_simple_bind_s.3 
> /usr/share/man/man3/ldap_sasl_bind.3 

> /usr/share/man/man3/ldap_sasl_bind_s.3 

> /usr/share/man/man3/ldap_kerberos_bind_s.3 
> /usr/share/man/man3/ldap_kerberos_bind1.3 
> /usr/share/man/man3/Idap_kerberos_bind1_s.3 
> /ust/share/man/man3/Idap_kerberos_bind2.3 
> /usr/share/man/man3/ldap_kerberos_bind2_s.3 
> /ust/share/man/man3/ldap_unbind.3 

> /usr/share/man/man3/ldap_unbind_ext.3 

> /ustr/share/man/man3/Idap_unbind_s.3 

> /usr/share/man/man3/ldap_unbind_ext_s.3 

> /ust/share/man/man3/Idap_set_rebind_proc.3 
> /ustr/share/man/man3/Idap_cache.3 

> /usr/share/man/man3/ldap_enable_cache.3 

> /usr/share/man/man3/ldap_disable_cache.3 
> /usr/share/man/man3/ldap_destroy_cache.3 
> /usr/share/man/man3/Idap_flush_cache.3 

> /usr/share/man/man3/ldap_uncache_entry.3 
> /usr/share/man/man3/ldap_uncache_request.3 
> /usr/share/man/man3/ldap_set_cache_options.3 
> /usr/share/man/man3/ldap_compare.3 

> /ustr/share/man/man3/ldap_compare_s.3 

> /usr/share/man/man3/ldap_compare_ext.3 

> /ust/share/man/man3/ldap_compare_ext_s.3 
> /ust/share/man/man3/Idap_delete.3 

> /usr/share/man/man3/ldap_delete_s.3 

> /usr/share/man/man3/ldap_delete_ext.3 

> /usr/share/man/man3/ldap_delete_ext_s.3 

> /usr/share/man/man3/ldap_disptmpl.3 
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> /ust/share/man/man3/ldap_objectclass_free.3 
> /usr/share/man/man3/ldap_scherr2str.3 

> /usr/share/man/man3/ldap_search.3 

> /usr/share/man/man3/ldap_search_s.3 

> /usr/share/man/man3/ldap_search_st.3 

> /ust/share/man/man3/ldap_search_ext.3 

> /ust/share/man/man3/Idap_search_ext_s.3 

> /usr/share/man/man3/ldap_searchprefs.3 

> /ust/share/man/man3/ldap_init_searchprefs.3 
> /ust/share/man/man3/ldap_init_searchprefs_buf.3 
> /ust/share/man/man3/ldap_free_searchprefs.3 
> /usr/share/man/man3/Idap_first_searchobj.3 
> /usr/share/man/man3/ldap_next_searchobj.3 
> /usr/share/man/man3/ldap_sort.3 

> /ust/share/man/man3/ldap_sort_entries.3 

> /usr/share/man/man3/ldap_sort_values.3 

> /usr/share/man/man3/ldap_sort_strcasecmp.3 
> /usr/share/man/man3/Idap_ufn.3 

> /ust/share/man/man3/Idap_ufn_search_s.3 

> /ust/share/man/man3/Idap_ufn_search_c.3 

> /ust/share/man/man3/Idap_ufn_search_ct.3 
> /usr/share/man/man3/ldap_ufn_setprefix.3 

> /ust/share/man/man3/ldap_ufn_settilter.3 

> /ust/share/man/man3/ldap_ufn_timeout.3 

> /usr/share/man/man3/Idap_url.3 

> /ust/share/man/man3/ldap_is_Idap_url.3 

> /usr/share/man/man3/Idap_url_parse.3 

> /ust/share/man/man3/ldap_free_urldesc.3 

> /ust/share/man/man3/ldap_url_search.3 

> /ust/share/man/man3/ldap_url_search_s.3 

> /ust/share/man/man3/ldap_url_search_st.3 

> /usr/share/man/man65/ldap.conf.5 

> /usr/share/man/man65/Idapfilter.conf.5 

> /usr/share/man/man65/ldapfriendly.5 

> /usr/share/man/man5/Idapsearchprefs.conf.5 
> /usr/share/man/man5/Idaptemplates.conf.5 

> /usr/share/man/man65/ldif.5 

> /usr/share/man/man65/slapd.conf.5 

> /usr/share/man/man65/slapd.replog.5 

> /usr/share/man/man5/ud.conf.5 

> /ust/share/man/man8/go500.8 

> /usr/share/man/man8/go500gw.8 

> /usr/share/man/man8/in.xfingerd.8 

> /usr/share/man/man8/mail500.8 

> /usr/share/man/man8/fax500.8 

> /usr/share/man/man8/rcpt500.8 

> /usr/share/man/man8/slapadd.8 

> /usr/share/man/man8/slapcat.8 

> /usr/share/man/man8/slapd.8 

> /usr/share/man/man8/slapindex.8 

> /usr/share/man/man8/slappasswd.8 

> /usr/share/man/mané8/slurpd.8 

> /usr/share/openldap 

> /usr/share/openldap/Idapfriendly 

> /usr/share/openldap/go500gw.help 

> /ust/share/openldap/rcpt500.help 

> /var/lib/Idap 
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Part XI Gateway Server Related Reference 
In this Part 


Other Server - Squid Proxy Server 
Other Server - FreeS/WAN VPN Server 


This part of the book will exclusively deal with two programs that are less know or used than all 
the other that we can see in the UNIX world. In general this happen because there are used for 
specific needs and often by companies. 


Usually, end users don’t need to install them but this will surely change in the future with the 


increase of attacks on the Internet. Therefore here is a step-by-step guide on how to configure, 
secure, optimize and install them. 
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26 Gateway Server - Squid Proxy Server 
In this Chapter 


Recommended RPM packages to be installed for a Proxy Server 
Compiling - Optimizing & Installing Squid 

Using GNU malloc library to improve cache performance of Squid 
Configuring Squid 

Securing Squid 

Optimizing Squid 

The cachemgr.cgi program utility of Squid 
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Linux Squid Proxy Server 


Abstract 

Proxy-servers, with their capability to save bandwidth, improve security, and increase web-surfing 
speed are becoming more popular than ever. At this time only a few proxy-server programs are 
on the market. These proxy-servers have two main drawbacks: they are commercial, and they 
don’t support ICP (ICP is used to exchange hints about the existence of URLs in neighbour 
caches). Squid is the best choice for a proxy-cache server since it is robust, free, and can use 
IcP features. 


Derived from the “cached” software from the ARPA-funded Harvest research project, developed 
at the National Laboratory for Applied Network Research and funded by the National Science 
Foundation, Squid offers high-performance caching of web clients, and also supports FTP, 
Gopher, HTTP and HTTPS data objects. 


It stores hot objects in RAM, maintains a robust database of objects on disk, has a complex 
access control mechanism, and supports the SSL protocol for proxying secure connections. In 
addition, it can be hierarchically linked to other Squid-based proxy servers for streamlined 
caching of pages. 


In our compilation and configuration we’ll show you how to configure Squid depending of your 
needs. Two different set-ups are available. 


The first will be to configure it to run as an httpd-accelerator to get more performance out of our 
Web Server. In accelerator mode, the Squid server acts as a reverse proxy cache: it accepts 
client requests, serves them out of cache, if possible, or requests them from the origin server for 
which it is the reverse proxy. 


The second will be to configure Squid as a proxy-caching server to be able to let all users in 
your corporate network use Squid to access the Internet. This is a very interesting addition when 
you run a Gateway Server in your corporate. A Gateway Server as described in this book plus a 
Squid server mounted on it, will improve the security and performance speed of this system. This 
is also the solution to control and restrict what can be viewed on the Internet. 


With a Squid Server configured as a proxy-caching server on a Gateway Server, you will be able 


to block for example porno sites, underground sites, warez (if you want ©), etc. many possibilities 
exist like authorizing access to the Internet based on specific hours or days. 
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Recommended RPM packages to be installed for a Proxy Server 

A minimal configuration provides the basic set of packages required by the Linux operating 
system. Minimal configuration is a perfect starting point for building secure operating system. 
Below is the list of all recommended RPM packages required to run properly your Linux server as 
a Proxy (SQUID) server running on Squid software. 


This configuration assumes that your kernel is a monolithic kernel. Also | suppose that you will 
install Squid by RPM package. Therefore, squid RPM package is already included in the list 
below as you can see. All security tools are not installed, it is yours to install them as your need 
by RPM packages too since compilers packages are not installed and included in the list. 


basesystem 
e2fsprogs 
iptables 
openssh-server 
slocate 


bdflush 
file 
less 

pam 
sysklogd 


bind 
filesystem 
libstdc++ 
passwd 
syslinux 


bzip2 
fileutils 
libtermcap 
popt 
SysVinit 


chkconfig 
findutils 
lilo 
procps 
tar 


console-tools 
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gawk 
logrotate 
psmisc 
termcap 


cpio 
gdbm 
losetup 
pwdb 
textutils 


cracklib 
gettext 
MAKEDEV 
qmail 
tmpwatch 


cracklib-dicts 
glib 

man 

readline 
utempter 


crontabs 
glibc 
mingetty 
rootfiles 
util-linux 


db1 
glibc-common 
mktemp 

rpm 
vim-common 


db2 

grep 

mount 

sed 
vim-minimal 


db3 

grofft 
ncurses 
setup 
vixie-cron 


dev 

gzip 
net-tools 
sh-utils 
words 


devfsd 

info 

newt 
shadow-utils 
which 


diffutils 
initscripts 
openssh 
slang 

zlib 


Tested and fully functional on OpenNA.com. 
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These installation instructions assume 

Commands are Unix-compatible. 

The source path is /var/tmp (note that other paths are possible, as personal discretion). 
Installations were tested on Red Hat 7.1. 

All steps in the installation will happen using the super-user account “root”. 

Whether kernel recompilation may be required: No 

Latest Squid version number is 2.4.STABLE1 





Packages 
The following are based on information as listed by Squid as of 2001/03/20. Please regularly 
check at www.squid-cache.org for the latest status. 


Source code is available from: 


Squid Homepage: http://www.squid-cache.org/ 
Squid FTP Site: 206.168.0.9 


You must be sure to download: squid-2.4.STABLE1-src.tar.gz 





Pristine source 

If you don’t use the RPM package to install this program, it will be difficult for you to locate all 
installed files into the system in the eventuality of an updated in the future. To solve the problem, 
it is a good idea to make a list of files on the system before you install Squid, and one 
afterwards, and then compare them using the diff utility of Linux to find out what files are 
placed where. 


e Simply run the following command before installing the software: 
root@deep /root find /* > Squidl 


e And the following one after you install the software: 
root@deep /root find /* > Squid2 


e Then use the following command to get a list of what changed: 
root@deep /root diff Squidl Squid2 > Squid-Installed 

















With this procedure, if any upgrade appears, all you have to do is to read the generated list of 
what files were added or changed by the program and remove them manually from your system 
before installing the new software. Related to our example above, we use the /root directory of 
the system to stock all generated list files. 


Compiling - Optimizing & Installing Squid 

required steps Below are the required steps that you must make to configure, compile and 
optimize the Squid server software before installing it into your Linux system. First off, we install 
the program as user 'root' so as to avoid authorization problems. 


Step 1 
Once you get the program from the main software site you must copy it to the /var/tmp 
directory and change to this location before expanding the archive. 


e These procedures can be accomplished with the following commands: 
[root@deep /]# cp squid-version-sre.tar.gz /var/tmp/ 
[root@deep /]# cd /var/tmp/ 

[root@deep tmp]# tar xzpf squid-version-src.tar.gz 
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Step 2 
To avoid security risks, we must create a new user account called “squid” to be the owner of the 
Squid database cache files and daemon. 


e Tocreate this special Squid user account, use the following command: 
[root@deep tmp]# useradd -r -d /var/lib/squid -s /bin/false -c "Squid 
Server" -u 23 squid >/dev/null 2>&1 || 


The above command will create a null account, with no password, no valid shell, no files owned- 
nothing but a UID anda GID. 


Step 3 
After that, move into the newly created Squid source directory and perform the following steps to 
configure and optimize the software for your system. 


e To move into the newly created Squid source directory use the command: 


[root@deep tmp]# cd squid-2.4.STABLE1/ 


Step 4 

There are some source files to modify before going in configuration and compilation of the 
program; the changes allow us to fix some problems and to configure the program for our PATH 
environment variable under Linux. 


e =©Edit the Makefile.in file (vi +18 icons/Makefile.in) and change the line: 


DEFAULT_ICON_DIR = S$(sysconfdir)/icons 





To read: 


DEFAULT_ICON_DIR $ (libexecdir) /icons 





We change the variable (sysconfdir) to become (libexecdir). With this modification, the 
/icons directory of Squid will be located under the /usr/1ib/squid directory. 


e §6Edit the Makefile.in file (vi +39 src/Makefile.in) and change the lines: 























DEFAULT_CACHE_LOG = S$(localstatedir) /logs/cache.log 
To read: 
DEFAULT_CACHE_LOG = $(localstatedir) /log/squid/cache.log 














DEFAULT_ACCESS_LOG 


$(localstatedir) /logs/access.log 























DEFAULT_ACCESS_LOG S(localstatedir) /log/squid/access.log 
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DEFAULT_STORE_LOG = S$(localstatedir) /logs/store.log 
To read: 

DEFAULT_STORE_LOG = $(localstatedir) /log/squid/store.log 
DEFAULT_PID_FILE = $(localstatedir) /logs/squid.pid 
To read: 

DEFAULT_PID_FILE = $(localstatedir) /run/squid.pid 
DEFAULT_SWAP_DIR = $(localstatedir)/cache 

To read: 

DEFAULT_SWAP_DIR = $(localstatedir) /1lib/squid 
DEFAULT_ICON_DIR = $(sysconfdir)/icons 

To read: 

DEFAULT_ICON_DIR = §$(libexecdir) /icons 





nt 


We change the default location of “cache.1log”, “access.log”, and “store.1log” files to be 
located under /var/log/squid directory. Then, we put the pid file of Squid under /var/run 
directory, and finally, locate the /icons directory of Squid under /usr/lib/squid/icons 
with the variable (libexecdir) above. 


One important note here is the location of the cache directory of Squid. As we can see, we 
relocate it under /var/1ib/squid directory since this directory (/var/1lib) is on its own 
partition. This allows us to isolate this file system from the rest of our operating system and to 
eliminate possible buffer overflow attack. Also having the directory where Squid cache will reside 
on its own partition will allow us to improve performance by tuning parameters of this separate 
partition with commands like ulimit, etc. 


Using GNU malloc library to improve cache performance of Squid 

If you're suffering from memory limitations on your system, the cache performance of Squid will 
be affected. To reduce this problem, you can link Squid with an external malloc library such as 
GNU malloc. This library must be installed before compiling Squid on the server. To make 
Squid use GNU malloc as an external library follows these steps: 


Packages 


GNU malloc Homepage: http://www.gnu.org/order/ftp.html 
You must be sure to download: malloc.tar.gz 


[root@deep /]# cp malloc.tar.gz /var/tmp/ 
[root@deep /]# ed /var/tmp/ 
[root@deep tmp]# tar xzpf malloc.tar.gz 


624 


Squid | 2 
CHAPTER |6 


Step 1 
Compile and install GNU malloc on your system by executing the following commands: 


[root@deep tmp]# cd malloc 

[root@deep malloc]# export CC=gcc 

[root@deep malloc]# export CFLAGS="-03 -march=i686 -mcpu=i686 -—funroll- 
loops —-fomit-—frame-pointer” 

[root@deep malloc]# make 


Step 2 
Copy the “libmalloc.a’ file to your system library directory and be sure to name it 
“lLibgnumalloc.a” 


[root@deep malloc]# ep libmalloc.a /usr/lib/libgnumalloc.a 


Step 3 
Copy the “malloc.h’” file to your system include directory and be sure to name it 
“gnumalloc.h” 


[root@deep malloc]# ep malloc.h /usr/include/gnumalloc.h 


With the files “Libgnumalloc.a” and “gnumalloc.h” installed to the appropriate location on 
your system, Squid will be able detect them automatically during its compile time, and will use 
them to improve its cache performance. 


Step 4 

Once the required modifications have been made into the related source files of Squid as 
explained previously and the GNU malloc library has been installed on the system to the 
appropriate location, it is time configure and optimize Squid for our system. 


e Toconfigure and optimize Squid use the following compilation lines: 
CC="gec" \ 
CFLAGS="-03 -march=i686 -mcpu=i686 -funroll-loops -fomit-frame-pointer" \ 
./configure \ 
--prefix=/usr \ 
--exec-prefix=/usr \ 
--bindir=/usr/sbin \ 
—-libexecdir=/usr/lib/squid \ 
--localstatedir=/var \ 
--sysconfdir=/etc/squid \ 
--enable-delay-pools \ 
--enable-cache-digests \ 
--enable-poll \ 
--disable-ident-lookups \ 
--enable-truncate \ 
--enable-removal-policies="heap” \ 
--enable-auth-modules=” PAM” 
--enable-xmalloc-statistics \ 
--enable-cachemgr-hostname=www \ 
--enable-linux-netfilter \ 
--enable-stacktraces 


This tells Squid to set itself up for this particular configuration setup with: 
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- Use the delay pools feature of Squid to limit and control bandwidth usage for users. 

- | Use Cache Digests to improve client response time and network utilization. 

- Enable poll() instead of select () since it’s preferred over select. 

- Disable ident-lookups to remove code that performs Ident (RFC 931) lookups and reduce 
possible denial-of-service. 

- Enable truncate to clean some performance improvements when removing cached files. 

- Use the heap-replacement feature of Squid to have the choice of various cache replacement 
algorithms, instead of the standard LRU algorithm for better performance. 

- Enable PAM proxy authentication backend modules. 

- | Show malloc statistics in status page. 

- Make cachemgr.cgi default to this host. If you run Squid as a httpd-accelerator, you can 
omit this option, but if you run Squid as proxy-caching, you must keep it and specify the 
hostname of your Web Server (usually www) since a gateway/proxy server doesn’t have to run 
a Web Server on the machine. 

- Enable transparent proxy support for Linux kernel 2.4. 

- Enable automatic call backtrace on fatal errors. 








NOTE: Pay special attention to the compile CFLAGS line above. We optimize Squid for an i686 
CPU architecture with the parameter “-march=i686 and -mcpu=i686”. Please don’t forget to 
adjust this CFLAGS line to reflect your own system and architecture. 





Step 5 

Now, we must make a list of all existing files on the system before installing the software, and one 
afterwards, then compare them using the dif¢€ utility tool of Linux to find out what files are placed 
where and finally install Squid Proxy Server: 












































































































































root@deep squid-2.4.STABLE1 make 

root@deep squid-2.4.STABLE1 cd 

root@deep /root]# find /* > Squidl 

root@deep /root]# cd /var/tmp/squid-2.4.STABLE1/ 
root@deep squid-2.4.STABLE1 make install 

root@deep squid-2.4.STABLE1 mkdir -p /var/lib/squid 
root@deep squid-2.4.STABLE1 mkdir -p /var/log/squid 
root@deep squid-2.4.STABLE1 chown squid.squid /var/lib/squid/ 
root@deep squid-2.4.STABLE1 chown squid.squid /var/log/squid/ 
root@deep squid-2.4.STABLE1 chmod 750 /var/1lib/squid/ 
root@deep squid-2.4.STABLE1 chmod 750 /var/log/squid/ 
root@deep squid-2.4.STABLE1 rm -rf /var/logs/ 
root@deep squid-2.4.STABLE1 rm -f£ /usr/sbin/RunCache 
root@deep squid-2.4.STABLE1 rm -f£f /usr/sbin/RunAccel 
root@deep squid-2.4.STABLE1 strip /usr/sbin/squid 
root@deep squid-2.4.STABLE1 strip /usr/sbin/client 
root@deep squid-2.4.STABLE1 strip /usr/lib/squid/* 
root@deep squid-2.4.STABLE1 /sbin/ldconfig 

root@deep squid-2.4.STABLE1 cd 

root@deep /root]# find /* > Squid2 

root@deep /root]# diff Squidl Squid2 > Squid-Installed 


The make command will compile all source files into executable binaries, and make instal11 will 
install the binaries and any supporting files into the appropriate locations. The mkdir command 
will create two new directories named “squid” under /var/lib and /var/log. 


The rm command will remove the /var/1logs directory since this directory has been created to 


handle the log files related to Squid that we have relocated during compile time into 
/var/log/squid. 
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The chown will change the owner of /var/lib/squidand /var/log/squid to be the user 
squid, and the chmod command will make the mode of both squid directories (0750/drwxr- 
x--—) for security reasons. 


Take note that we remove the small scripts named “RunCache” and “RunAcce1” which start 
Squid in either caching mode or accelerator mode, since we use a better script named “squid” 
located under /etc/rc.d/init.d directory that takes advantage of Linux system V. The 
strip command will reduce the size of binaries for optimum performance. 


Step 6 

Once configuration, optimization, compilation, and installation of the Proxy Server software have 
been accomplished, we can free up some disk space by deleting the program tar archive and the 
related source directory since they are no longer needed. 


e Todelete Squid and its related source directory, use the following commands: 
[root@deep /]# cd /var/tmp/ 
[root@deep tmp]# rm -rf squid-version/ 
[root@deep tmp]# rm -rf malloc/ 
[root@deep tmp]# rm -f squid-version-src.tar.gz 
[root@deep tmp]# rm -f malloc.tar.gz 


The rm command as used above will remove all the source files we have used to compile and 
install Squid and GNU malloc. It will also remove the Squid and GNU malloc compressed 
archive from the /var/tmp directory. 





Configuring Squid 
After Squid has been built and installed successfully in your system, your next step is to 


configure and customize all the required parameters in the different Squid configuration files as 
prudently as possible: 


¥ /etc/squid/squid.conf (The Squid Configuration File) 

¥ /etc/sysconfig/squid (The Squid System Configuration File) 
¥ /etc/logrotate.d/squid (The Squid Log Rotation File) 

¥ /etc/rce.d/init.d/squid (The Squid Initialization File) 


Running Squid in a httpd-accelerator mode 

The squid.conf file is used to set and configure all the different options for your Squid proxy 
server. In the configuration file below, we'll configure the /etc/squid/squid.conf file to be in 
httpd-accelerator mode. In this acceleration mode, if the Web Server runs on the same server 
where Squid is installed, you must set its daemon to run on port 81. With the Apache Web 
Server, you can do it by assign the line (Port 80) to (Port 81) in its httpd.conf file. If the Web 
Server runs on other servers in your network like we do, you can keep the same port number (80) 
for Apache, since Squid will bind on a different IP number where port (80) is not already in use. 
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/etc/squid/squid.conf: The Squid Configuration File 

The /etc/squid/squid.conf file is the main configuration file for squid. Though there are 
hundred of option tags in this file, you should only need to change some options to get Squid up 
and running. The other options give you amazing flexibility, but you can learn about them once 
you have Squid running. The text in bold are the parts of the configuration file that must be 
customized and adjusted to satisfy our needs. 


e §=6Edit the squid.conf file (vi /etc/squid/squid.conf) and add/change the 
following options. Below is what we recommend you: 


http_port 80 

icp_port 0 

hierarchy stoplist cgi-bin ? 

acl QUERY urlpath_regex cgi-bin \? 
no_cache deny QUERY 

cache_mem 42 MB 
redirect_rewrites_host_header off 
cache_replacement_policy heap GDSF 
memory replacement_policy heap GDSF 
cache _dir ufs /var/lib/squid 200 16 256 
emulate_httpd_log on 

acl all sre 0.0.0.0/0.0.0.0 
http_access allow all 

cache_mgr root 

cache _effective_user squid 

cache _effective_group squid 
httpd_accel_host 207.35.78.3 
httpd_accel_port 80 

logfile_rotate 0 

log_icp_ queries off 
cachemgr_passwd my-secret-pass all 
buffered_logs on 


This tells squid. conf file to set itself up for this particular configuration with: 


http_port 80 

The option “http_port” specifies the port number where Squid will listen for HTTP client 
requests. If you set this option to port 80, the client will have the illusion of being connected to the 
Apache Web Server. Since we are running Squid in accelerator mode, we must listen on port 
80. 


icp_port 0 

The option “icp_port” specifies the port number where Squid will sends and receive ICP 
requests from neighboring caches. We must set the value of this option to “0” to disable it, since 
we are configuring Squid to be in accelerator mode for the Web Server. The IcP feature is 
needed only in a multi-level cache environment with multiple siblings and parent caches. Using 
IcP in an accelerator mode configuration would add unwanted overhead to Squid. This is an 
optimization feature. 


hierarchy_stoplist cgi-bin ? 


The options “hierarchy_stoplist cgi-bin ?” is used to not query neighbour cache for 
certain objects. The above line is recommended. 
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acl QUERY urlpath_regex cgi-bin \? 

no_cache deny QUERY 

The options “acl QUERY urlpath_regex cgi-bin \?” and “no_cache deny QUERY” are 
used to force certain objects to never be cached, like files under “cgi-bin” directory. This is a 
security feature. 














cache_mem 42 MB 

The option “cache_mem” specifies the amount of memory (RAM) to be used for caching the so 
called: In-Transit objects, Hot Objects, Negative-Cached objects. It’s important to note that Squid 
can use much more memory than the value you specify in this parameter. For example, if you 
have 256 MB free for Squid, you must put 256/3 = 85 MB here. This is an optimization feature. 


redirect_rewrites_host_header off 

The option “redirect_rewrites_host_header”, if set to “off”, tells Squid to not rewrites 
any Host: header in redirected requests. It’s recommended to set this option to “off” if you are 
running Squid in accelerator mode. 








cache_replacement_policy heap GDSF 

memory_replacement_policy heap GDSF 

The options “cache_replacement_policy” and “memory_replacement_policy heap 
GDSF” specify the cache policy Squid will use to determine which objects in the cache must be 
replaced when the proxy need to make disk space and which objects are purged from memory 
when memory space is needed. In our configuration, we choose the GDSF (Greedy-Dual Size 
Frequency) policy as our default policy. See http://www.hpl.hp.com/techreports/1999/HPL-1999- 
69.html and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html for more information. 


cache_dir ufs /var/lib/squid 200 16 256 

The option “cache_dir’” specifies in order: which kind of storage system to use (ufs), the name 
of the cache directory (/var/1ib/squid) for Squid, the disk space in megabytes to use under 
this directory (200 Mbytes), the number of first-level subdirectories to be created under the 
cache directory (16 Level-1), and the number of second-level subdirectories to be created 
under each first-level cache directory (256 Level-—2). In accelerator mode, this option is directly 
related to the size and number of files that you want to serve with your Apache Web Server. 


emulate_httpd_log on 

The option “emulate_httpd_log” if set to “on” specifies that Squid should emulate the log file 
format of the Apache Web Server. This is very useful if you want to use a third party program like 
Webalizer to analyze and produce static report on the Web Server (htt pq) log file. 


acl all sre 0.0.0.0/0.0.0.0 

http_access allow all 

The options “acl” and “http_access” specify and define an access control list to be applied on 
the Squid Proxy Server. Our “acl” and “http_access” options are not restricted, and allow 
every one to connect on the proxy server since we use this proxy to accelerate the public Apache 
Web Server. See your Squid documentation for more information when using Squid in non- 
accelerator mode. 


cache_mgr root 

The option “cache_mgr” specify the email-address of the administrator responsible for the 
Squid Proxy Server. This person is the one who will receive mail if Squid encounter problems. 
You can specify the name or the complete email address in this option. 
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cache_effective_user squid 

cache_effective_group squid 

The options “cache_effective_user” and “cache_effective_group” specify the 
UID/GID that the cache will run on. Don’t forget to never run Squid as “root”. In our 
configuration we use the UID “squid” and the GID “squid”. This is a security feature. 








httpd_accel_host 207.35.78.3 

httpd_accel_port 80 

The options “httpd_accel_host” and “httpd_accel_port” specify to Squid the IP address 
and port number where the real HTTP Server (i.e. Apache) reside. In our configuration, the real 
HTTP Web Server is on IP address 207.35.78.3 (www.openna.com) and on port (80). 

“www .openna.com” is another FDON on our network, and since the Squid Proxy Server doesn’t 
reside on the same host of Apache HTTP Web Server, we can use port (80) for our Squid Proxy 
Server, and port (80) for our Apache Web Server, and the illusion is perfect. 








logfile_rotate 0 

The option “Logfile_rotate’” specifies the number of logfile rotations that we want the Squid 
program to make. Setting the value to 0 will disable the default rotation and will let us control this 
feature through our personal logrotate script file on Linux. This is what we need to do on Linux 
and use our own log script file to make the appropriate rotation of Squid log files. 


log_icp_queries off 

The option “log_icp_queries” specifies if you want ICP queries (ICP is used to exchange 
hints about the existence of URLs in neighbour caches) to be logged to the “access.1og’ file or 
not. Since we don’t use the IcP feature in Squid accelerator mode, we can safely set this option 
to “off”. 


cachemgr_passwd my-secret-pass all 

The option “cachemgr_passwd” specifies a password that will be required for accessing the 
operations of the “cachemgr.cgi” program utility. This CGI utility program is designed to run 
through a web interface and outputs statistics about the Squid configuration and performance. 
The <my-secret-pass> is the password that you have chosen, and the keyword <al1> 
specifies to set this password to be the same for all actions you can perform with this program. 
See “The cachemgr.cgi program utility of Squid”, below in this chapter for more information. 


buffered_logs on 
The option “buffered_logs”, if turned “on”, can speed up the writing of some log files slightly. 
This is an optimization feature. 


Running Squid in a proxy-caching mode 

With some minor modification to the squid. conf file we have defined above to run in httpd- 
accelerator mode, we can run Squid as a proxy-caching server. With a proxy-caching server, all 
users in your corporate network will use Squid to access the Internet. 


With this configuration, you can have complete control, and apply special policies on what can be 
viewed, accessed, and downloaded. You can also control bandwidth usage, connection time, and 
so on. A proxy cache server can be configured to run as stand-alone server for your corporation, 
or to use and share caches hierarchically with other proxy servers around the Internet. 


With the first example below we show you how to configure Squid as a stand-alone server, and 


then speak a little bit about a cache hierarchy configuration, where two or more proxy-cache 
servers cooperate by serving documents to each other. 
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Proxy-caching Server 
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/etc/squid/squid.conf: The Squid Configuration File 

To set up Squid as a proxy-cahing server, we use the same configuration file as above but with 
some addition and modification to the default related to Squid in httpd-accelerator mode. The 
text in bold are the parts of the configuration file that must be customized and adjusted to satisfy 
our needs. The rest of the parameters are the same as for Squid in httpd-accelerator mode and | 
recommend you to read the configuration section related to Squid in accelerator mode for more 
information on each options. 


e §=6Edit the squid.conf file (vi /etc/squid/squid.conf) and add/change the 
following options for proxy cache that run as a stand-alone server. Below is what we 
recommend you: 


icp_port 0 

hierarchy_stoplist cgi-bin ? 

acl QUERY urlpath_regex cgi-bin \? 
no_cache deny QUERY 

cache_mem 42 MB 

cache_replacement_policy heap GDSF 
memory_replacement_policy heap GDSF 
cache_dir ufs /var/lib/squid 200 16 256 
acl localnet sre 192.168.1.0/255.255.255.0 
acl localhost sre 127.0.0.1/255.255.255.255 
acl Safe_ports port 80 443 210 70 21 1025-65535 
acl CONNECT method CONNECT 

acl all sre 0.0.0.0/0.0.0.0 

http_access allow localnet 

http_access allow localhost 

http_access deny !Safe_ports 

http_access deny CONNECT 

http_access deny all 

cache_mgr root 

cache_effective_user squid 
cache_effective_group squid 

logfile_rotate 0 

log_icp_queries off 

cachemgr_passwd my-secret-—pass all 
buffered_logs on 




















NOTE: In the above configuration example, the default Proxy port 3128 will be used. If you prefer 
to use another port like 8080, all you will have to do will be to add the parameter “http_port 
8080” and configure your clients accordable. 





The big difference with the httpd-accellerator mode configuration is the use of access control lists 
(ACL). This feature allows you to restrict access based on source IP address (src), destination IP 
address (dst), source domain, destination domain, time, and so on. Many types exist with this 
feature, and you should consult the “squid. conf” file for a complete list. 


The four most used types are as follows: 


acl name _ type data 
| | | | 
acl some-name src a.b.c.d/e.f.g.h # ACL restrict access based on source IP address 
acl some-name dst a.b.c.d/e.f.g.h # ACL restrict access based on destination IP address 
acl some-name srcdomain foo.com # ACL restrict access based on source domain 
acl some-name dstdomain foo.com # ACL restrict access based on destination domain 
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As an example, to restrict access to your Squid proxy server to only your internal clients, and to 
a specific range of designated ports, something like the following will make the job: 


acl localnet sre 192.168.1.0/255.255.255.0 

acl localhost sre 127.0.0.1/255.255.255.255 

acl Safe_ports port 80 443 210 70 21 1025-65535 
acl CONNECT method CONNECT 

acl all sre 0.0.0.0/0.0.0.0 

http_access allow localnet 

http_access allow localhost 

http_access deny !Safe_ports 

http_access deny CONNECT 

http_access deny all 











This acl configuration will allow all internal clients from the private class Cc 192.168.1.0 to 
access the proxy server; it’s also recommended that you allow the localhost IP (a special IP 
address used by your own server) to access the proxy. 


After we choose a range of ports (80=http, 443=https, 210=wais, 70=gopher, and 21=ftp) which 
our internal clients can use to access the Internet, we deny the CONNECT method to prevent 
outside people from trying to connect to the proxy server, and finally, we deny all source IP 
address and ports on the proxy server. 





Multi-level Web Caching 

The second method of proxy cache is the so-called “Multi-level Web Caching” where you choose 
to share and cooperate with more proxy-cache servers on the Internet. With this method, your 
organization uses the cache of many others proxy cache servers, and to compensate, the other 
cache server can use yours. 


It’s important to note that in this situation, the proxy cache can play two different roles in the 
hierarchy. It can be configured to be a sibling cache, and be able to only serve documents it 
already has, or it can be configured as a parent cache, and be able to get documents from 
another cache or from the source directly. 
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Parents and Siblings 
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NOTE: A good strategy to avoid generating more network traffic than without web caching is to 
choose to have several sibling caches and only a small number of parent caches. 





/etc/sysconfig/squid: The Squid System Configuration File 

The /etc/sysconfig/squida file is used to specify Squid system configuration information, 
such as if Squid should enable initial DNS checks at start-up, and the value of time to wait for 
Squid to shut down when asked. 


e Create the squid file (touch /etc/sysconfig/squid) and add the following lines: 


# default squid options 

# -—D disables initial dns checks. If you most likely will not to have an 
# internet connection when you start squid, uncomment this 
#SQUID_OPTS="-D" 


# Time to wait for Squid to shut down when asked. Should not be necessary 
# most of the time. 
SQUID_SHUTDOWN_TIMEOUT=100 
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/etc/logrotate.d/squid: The Squid Log Rotation Configuration File 
The /etc/logrotate.d/squid file is responsible to rotate log files related to Squid software 
automatically each week via syslog. If you are not familiar with syslog, look at the 
syslog.conf (5) manual page for a description of the syslog configuration file, or the 
syslogd (8) manual page for a description of the syslogd daemon. 





Create the squid file (touch /etc/logrotate.d/squid) and add the following lines: 


/var/log/squid/access.log { 
weekly 
rotate 5 
copytruncate 
compress 
notifempty 
missingok 


} 


/var/log/squid/cache.log { 
weekly 
rotate 5 
copytruncate 
compress 
notifempty 
missingok 


} 


/var/log/squid/store.log { 
weekly 
rotate 5 
copytruncate 
compress 
notifempty 
missingok 


# This scrip 
# Restarting 
# doing it j 

postrota 


t asks squid to rotate its logs on its own. 
squid is a long process and it is not worth 
ust to rotate logs 

te 


/usr/sbin/squid -k rotate 


endscrip 





/etc/re.d/init.d/squid: The Squid Initialization File 
The /etc/rce.d/init.d/squid script file is responsible to automatically start and stop the 
Squid Internet Object Cache on your server. Loading the squid daemon, as a standalone 


daemon will eliminate load time and will even reduce swapping since non-library code will be 
shared. 











Step 1 
Create the squid script file (touch /etc/rce.d/init.d/squid) and add the following lines: 
!/bin/bash 
squid This shell script takes care of starting and stopping 
Squid Internet Object Cache 
chkconfig: - 90 25 
description: Squid Internet Object Cach Internet object caching is \ 
a way to store requested Internet objects (i.e., data available \ 
via the HTTP, FTP, and gopher protocols) on a system closer to the \ 
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requesting site than to the source. Web browsers can then use the \ 


Squid cache as a proxy HTTP server, reducing access time as \ 


well as bandwidth consumption. 
pidfile: /var/run/squid.pid 
config: /etc/squid/squid.conf 


:/sbin:/bin:/usr/sbin 


Source function library. 
/etc/re.d/init.d/functions 


Source networking configuration. 
/etc/sysconfig/network 


Check that networking is up. 
${NETWORKING} = "no" ] && exit 0 


check if the squid conf file is present 


-f /etc/squid/squid.conf ] || exit 0 
if [ -f /etc/sysconfig/squid ]; then 
/etc/sysconfig/squid 
else 
SQUID_OPTS="-D" 








SQUID_SHUTDOWN_TIMEOUT=100 


fi 





-z "SSQUID" 


prog="SSQUID" 














RETVAL=0 





tart() { 


n 


determine the name of the squid binary 
-f /usr/sbin/squid ] && SQUID=squid 


] && exit 0 





determine which one is the cache_swap directory 

CACHE_SWAP=*sed -e 's/#.*//g' /etc/squid/squid.conf | \ 
grep cache_dir | awk '{ print $3 }'* 

-—z “SCACHE_SWAP" ] && CACHE 





_ SWAP=/var/lib/squid 


for adir in SCACHE_SWAP; do 


if [ 


fi 
done 
echo -n §$ 





! -d Sadir/00 ]; then 


echo -n "init_cache_dir $adir... " 
SSQUID -z -F 2>/dev/null 


"Starting Sprog: " 


SSQUID S$SQUID_OPTS 2> /dev/null & 


RETVAL=$? 
[ $RETVAL 
[ $RETVAL 
[ $RETVAL 
echo 



































return $R 


} 


stop() f 
echo -n 
SSQUID -k 
RETVAL=$ ? 








-eq 0 ] && touch /var/lock/subsys/SSQUID 
-eq 0 ] && echo_success 
-ne 0 ] && echo_failure 





ETVAL 


S"Stopping $prog: " 


check >/dev/null 2>é&1 


if [| SRETVAL -eq 0 J] ; then 
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SSQUID -k shutdown & 

rm -f£f /var/lock/subsys/$SQUID 
timeout=0 

while : ; do 





[ -f /var/run/squid.pid ] || break 
if [ S$timeout -ge $SQUID_SHUTDOWN_TIMEOUT ]; then 
echo 


return 1 
fa 
sleep 2 && echo -n "." 
timeout=S ( (timeout+2) ) 


done 
echo_success 
echo 

else 
echo_failure 
echo 

fa 


return SRETVAL 





} 


reload() { 
SSQUID S$SQUID_OPTS -k reconfigure 


condrestart() { 
[ -e /var/lock/subsys/squid ] && restart || 
} 


rhstatus() { 
status S$SSQUID 
SSQUID -k check 
} 


probe() { 
return 0 


} 


case "S1" in 
start) 
Sear 


vr 


stop) 
stop 


vr 


reload) 
reload 


condrestart) 
condrestart 


vt 
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status) 
rhstatus 


mr 


probe) 
exit 0 
*) 
echo S"Usage: $0 {start|stop|status|reload|restart|condrestart}" 


exit 1 
esac 


exit $? 


Step 2 

Once the squid script file has been created, it is important to make it executable, change its 
default permissions, create the necessary links and start it. Making this file executable will allow 
the system to run it, changing its default permission is to allow only the root user to change this 
file for security reason, and creation of the symbolic links will let the process control initialization 
of Linux which is in charge of starting all the normal and authorized processes that need to run at 
boot time on your system to start the program automatically for you at each reboot. 


e To make this script executable and to change its default permissions, use the commands: 
root@deep / chmod 700 /etc/rc.d/init.d/squid 
root@deep / chown 0.0 /etc/rc.d/init.d/squid 


e Tocreate the symbolic rc.d links for Squid, use the following commands: 
root@deep / chkconfig --add squid 
root@deep / chkconfig --level 345 squid on 


e Tostart Squid software manually, use the following commana: 
root@deep / /etc/re.d/init.d/squid start 
Starting squid: [OK] 




















NOTE: All the configuration files required for each software described in this book has been 
provided by us as a gzipped file, floppy-—2.0.tgz for your convenience. This can be 
downloaded from this web address: ftp://ftp.openna.com/ConfigFiles-v2.0/floppy-2.0.tgz. You can 
unpack this to any location on your local machine, say for example /var/tmp, assuming you 
have done this your directory structure will be /var/tmp/floppy-—2.0. Within this floppy 
directory each configuration file has its own directory for respective software. You can either cut 
and paste this directly if you are faithfully following our instructions from the beginning or 
manually edit these to modify to your needs. This facility is there though as a convenience but 
please don't forget ultimately it will be your responsibility to check, verify, etc. before you use 
them whether modified or as it is. 
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Securing Squid 

This section deals especially with actions we can make to improve and tighten security under 
Squid. The interesting points here are that we refer to the features available within the base 
installed program and not to any additional software. 


More control on mounting the cache directory of Squid 

If you have created the cache directory of Squid in a separate partition in your Linux system (i.e. 
/var/11ib), like we have done during the install set-up of Linux, then you can use the noexec, 
nodev, and nosuid features to improve and consolidate the cache security. 


These features can be set up in the /etc/fstab file to inform the system to not allow execution 
of any binaries (noexec), to not interpret character or block special devices (nodev), and to not 
allow set-user-identifier or set-group-identifier bits to take effect (nosuid) on the mounted file 
system (/var/1lib in our example). 


Applying this procedure on the partition where the Squid Cache resides will help to eliminate the 
possibility of DEV, SUID/SGID, and execution of any binaries. 





Step 1 
e Edit the fstab file (vi /etc/fstab) and add in the line that refer to /var/1ib file 
system the following options after the defaults option as show below: 





LABEL=/var/lib /var/lib ext2 defaults, noexec, nodev, nosuid A 2 


Step 2 
Once you have made the necessary adjustments to the /etc/fstab file, it is time to inform the 
Linux system about the modification. 


e This can be accomplished with the following commands: 
[root@deep /]# mount /var/lib -oremount 


Each file system that has been modified must be remounted with the command show above. In 
our example we have modified the /var/1lib file system and it is for this reason that we remount 
this file system with the above command. 


Step 3 
e You can verify if the modifications have been correctly applied to the Linux system with 


the following command: 
[root@deep /]# cat /proc/mounts 


/dev/root / ext2 rw 0 0 

/proc/proc proc rw 0 0 

/dev/sdal /boot ext2 rw 0 0 

/dev/sda9 /chroot ext2 rw 0 0 

/dev/sda8 /home ext2 rw 0 0 

/dev/sdal3 /tmp ext2 rw 0 0 

/dev/sda7 /usr ext2 rw 0 0 

/dev/sdall1 /var ext2 rw 0 0 

/dev/sdal2 /var/lib ext2 rw, noexec,nosuid, nodev 0 0 
none /dev/pts devpts rw 0 0 


This command will show you all file system in your Linux server with parameters applied to them. 
If you see something like the following, congratulations! 


/var/lib /var/lib ext2 rw,noexec,nosuid,noatime 0 0 
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Immunize the Squid configuration file 

As we already know, the immutable bit can be used to prevent deletion, overwriting, or creation of 
a symbolic link to a file. Once your squid. conf file has been configured, it’s a good idea to 
immunize it with the following command: 


[root@deep /]# chattr +i /etc/squid/squid.conf 


Optimizing Squid 
This section deals especially with actions we can make to improve and tighten performance of 
Squid. Take a note that we refer to the features available within the base installed program. 


The atime and noatinme attributes 

The atime and noatime attributes can be used to get a measurable performance gain in the 
Squid cache directory. See the chapter related to Linux kernel in this book for more information 
on this issue. 


Physical memory 

The most important resource for Squid is physical memory. Your processor does not need to be 
ultra-fast. Your disk system will be the major bottleneck, so fast disks are important for high- 
volume caches. Do not use IDE disks if you can help it. 





The cachemgr .cgi program utility of Squid 

The cachemgr.cgi utility program, which is available by default when you compile and install 
Squid into your system, is designed to run through a web interface, and outputs various statistics 
about Squid configuration and performance. 


This program is located by default under the /usr/1lib/squid directory, and you must put it in 
your “cgi-bin” directory (eg, /home/httpd/cgi-bin) on your Web server to be able to use it. 
Follow the simple steps below to use this program. 





Step 1 
Remember that during our configuration step, we have added to the Squid configuration time the 
option “ nable-cachemgr-hostname=www’ to inform the program to run this script from the 


specified host name, which is in our case www (our Web Server hostname) on the network. This is 
an important point since there is no reason to run a Web Server on a Gateway/Proxy Server to be 
able to use this script if we already have a Web Server on our network to make this job. 


The first step will be to move the “cachemgr” CGI file from the machine where Squid run to your 
Web Server under /home/httpd/cgi-bin directory by FTP transport, floppy, etc. 


Step 2 
Once you’ve put the “cachemgr.cgi” program into your /cgi-bin directory on the remote Web 
Server, it is time to change its default mode permission and owner. 


e These procedures can be accomplished with the following commands: 
[root@deep /]# cd /home/httpd/cgi-bin/ 
[root@deep cgi-bin]# chown www.www cachemgr.cgi 
[root@deep cgi-bin]# chmod 744 cachemgr.cgi 
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Step 3 
Finally, you can point your web browser to the following address (http://my-web-server/cgi- 
bin/cachemar.cgi) to be able to use the various features of this program. 


The <my-web-server> is the address where your Apache web server lives, and 
<cachemgr.cgi> is the Squid utility program we have just placed in our “cgi-bin” directory to 
display information and the configuration of our Squid Proxy Linux server. 





Cache Manager Interface 


Thas ts a WWW sterface to the autrumertaton uterfme for the Squad cbyect cache 





Cache Host: pee 





Cache Post: s128 
Mamager name: 


Pas . freceee rs 


Comteue 


Jenerased Sat, 23 Ape TOOL 06:59:25 GMT, by cackenmgrcgy2.4STASLE! Grwww.watcorsetl.com 





If you have configured the squid. conf file to use password authentication for cachemgr.cgi, 
you'll be asked to enter the Cache Host, Cache Port, Manager name, and Password information 
before you are able to access the cachemgr.cgi program. See the configuration of the 
/etc/squid/squid.conf file above for more information. 


List of installed Squid files on your system 


> /etc/init.d/squid 

> /etc/logrotate.d/squid 

> /etc/sysconfig/squid 

> /etc/squid 

> /etc/squid/mib.txt 

> /etc/squid/squid.conf.default 

> /etc/squid/squid.conf 

> /etc/squid/mime.conf.default 

> /etc/squid/mime.conf 

> /etc/squid/errors 

> /etc/squid/errors/ERR_ACCESS_DENIED 

> /etc/squid/errors/ERR_CACHE_ACCESS_ DENIED 
> /etc/squid/errors/ERR_CACHE_MGR_ACCESS_ DENIED 
> /etc/squid/errors/ERR_CANNOT_FORWARD 

> /etc/squid/errors/ERR_CONNECT_FAIL 

> /etc/squid/errors/ERR_DNS_FAIL 

> /etc/squid/errors/ERR_FORWARDING_DENIED 

> /etc/squid/errors/ERR_FTP_DISABLED 








> /etc/squid/errors/ERR_ZERO_SIZE_OBJECT 
> /usr/lib/squid 

> /usr/lib/squid/unlinkd 

> /usr/lib/squid/cachemgr.cgi 

> /usr/lib/squid/icons 

> /usr/lib/squid/icons/anthony-binhex.gif 

> /usr/lib/squid/icons/anthony-bomb.gif 

> /usr/lib/squid/icons/anthony-box.gif 

> /usr/lib/squid/icons/anthony-box2. gif 

> /usr/lib/squid/icons/anthony-c.gif 

> /usr/lib/squid/icons/anthony-compressed. gif 
> /usr/lib/squid/icons/anthony-dir. gif 

> /usr/lib/squid/icons/anthony-dirup.gif 

> /usr/lib/squid/icons/anthony-dvi.gif 

> /usr/lib/squid/icons/anthony-f.gif 

> /usr/lib/squid/icons/anthony-image.gif 

> /usr/lib/squid/icons/anthony-image2.gif 

> /usr/lib/squid/icons/anthony-layout.gif 
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> /etc/squid/errors/ERR_FTP_FAILURE 

> /etc/squid/errors/ERR_FTP_FORBIDDEN 

> /etc/squid/errors/ERR_FTP_NOT_FOUND 

> /etc/squid/errors/ERR_FTP_PUT_CREATED 
> /etc/squid/errors/ERR_FTP_PUT_ERROR 

> /etc/squid/errors/ERR_FTP_PUT_MODIFIED 
> /etc/squid/errors/ERR_FTP_UNAVAILABLE 
> /etc/squid/errors/ERR_INVALID_REQ 

> /etc/squid/errors/ERR_INVALID_URL 

> /etc/squid/errors/ERR_LIFETIME_EXP 

> /etc/squid/errors/ERR_NO_RELAY 

> /etc/squid/errors/ERR_ONLY_IF_CACHED_MISS 
> /etc/squid/errors/ERR_READ_ERROR 

> /etc/squid/errors/ERR_READ_TIMEOUT 

> /etc/squid/errors/ERR_SHUTTING_DOWN 

> /etc/squid/errors/ERR_SOCKET_FAILURE 

> /etc/squid/errors/ERR_TOO_BIG 

> /etc/squid/errors/ERR_UNSUP_REQ 

> /etc/squid/errors/ERR_URN_RESOLVE 

> /etc/squid/errors/ERR_WRITE_ERROR 
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> /usr/lib/squid/icons/anthony-link.gif 

> /usr/lib/squid/icons/anthony-movie.gif 
> /usr/lib/squid/icons/anthony-pdf.gif 

> /usr/lib/squid/icons/anthony-portal.gif 
> /usr/lib/squid/icons/anthony-ps.gif 

> /usr/lib/squid/icons/anthony-quill.gif 

> /usr/lib/squid/icons/anthony-script.gif 
> /usr/lib/squid/icons/anthony-sound. gif 
> /usr/lib/squid/icons/anthony-tar.gif 

> /usr/lib/squid/icons/anthony-tex.gif 

> /usr/lib/squid/icons/anthony-text.gif 

> /usr/lib/squid/icons/anthony-unknown.gif 
> /usr/lib/squid/icons/anthony-xbm.gif 
> /usr/lib/squid/icons/anthony-xpm.gif 
> /usr/lib/squid/pam_auth 

> /usr/sbin/squid 

> /ust/sbin/client 

> /var/lib/squid 

> /var/log/squid 
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27 Gateway Server - FreeS/WAN VPN Server 
In this Chapter 


Recommended RPM packages to be installed for a VPN Server 
Compiling - Optimizing & Installing FreeS /WAN 

Configuring FreeS/WAN 

Configuring RSA private keys secrets 

Requiring network setup for IPSec 

Testing the FreeS/WAN installation 
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Linux FreeS/WAN VPN 


Abstract 

Protection of client-to-server and vice versa with SSL solutions is an excellent choice but 
sometime for enterprise environments establishing secure communication channels, assuring full 
privacy, authenticity and data integrity in between two firewalls over the Internet are vital. For this, 
IPSEC has been created. 





IPSEC is Internet Protocol SECurity. It uses strong cryptography to provide both authentication 
and encryption services. Authentication ensures that packets are from the right sender and have 
not been altered in transit. Encryption prevents unauthorized reading of packet contents. IPSEC 
can protect any protocol running above IP and any medium used below IP. IPSEC can also 
provide some security services "in the background", with no visible impact on users. More to the 
point, it can protect a mixture of protocols running over a complex combination of media (i.e. 
IMAP /POP etc.) without having to change them in any ways, since the encryption occurs at the 
IP level. 








IPSEC services allow you to build secure tunnels through untrusted networks like the Internet. 
Everything passing through the untrusted net is encrypted by the IPSEC gateway machine and 
decrypted by the gateway at the other end. The result is Virtual Private Network or VPN. This is a 
network, which is effectively private even though it includes machines at several different sites 
connected by the insecure Internet. 
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Recommended RPM packages to be installed for a VPN Server 


A minimal configuration provides the basic set of packages required by the Linux operating 
system. Minimal configuration is a perfect starting point for building secure operating system. 
Below is the list of all recommended RPM packages required to run properly your Linux server as 


a VPN (FreeS/WAN) server running on FreeS/WAN software. 


This configuration assumes that your kernel is a monolithic kernel. Also | suppose that you will 
install FreeS/WAN by RPM package. Therefore, freeswan RPM package is already included in 
the list below as you can see. All security tools are not installed, it is yours to install them as your 
need by RPM packages too since compilers packages are not installed and included in the list. 


basesystem 
e2fsprogs 
initscripts 
openssh 
slang 


iptables 
openssh-server 
slocate 


bdflush 
file 
kernel 
openssl 
sysklogd 


bind 
filesystem 
less 

pam 
syslinux 


bzip2 
fileutils 
libstdc++ 
passwd 
SysVinit 


chkconfig 
findutils 
libtermcap 
popt 

tar 


console-tools 
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freeswan 
TES 
procps 
termcap 


cpio 

gawk 
logrotate 
psmisc 
textutils 


cracklib 
gdbm 
losetup 
pwdb 
tmpwatch 


cracklib-dicts 
gettext 
MAKEDEV 

qmail 

utempter 


crontabs 
glib 

man 
readline 
util-linux 


db1 

glibc 
mingetty 
rootfiles 
vim-common 


db2 
glibc-common 
mktemp 

rpm 
vim-minimal 


db3 

grep 

mount 

sed 
vixie-cron 


dev 
grofft 
ncurses 
setup 
words 


devfsd 
gzip 
net-tools 
sh-utils 
which 


diffutils 
info 

newt 
shadow-utils 
zlib 


Tested and fully functional on OpenNA.com. 
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These installation instructions assume 

Commands are Unix-compatible. 

The source path is /var/tmp (note that other paths are possible, as personal discretion). 
Installations were tested on Red Hat 7.1. 

All steps in the installation will happen using the super-user account “root”. 

Whether kernel recompilation may be required: Yes 

Latest FreeS/WAN VPN version number is 1. 9 


Packages 
The following are based on information as listed by FreeS/WAN as of 2001/03/27. Please 
regularly check at www.freeswan.org for the latest status. 


Source code is available from: 

FreeS/WAN VPN Homepage Site: http://www.freeswan.org/ 
FreeS/WAN VPN FTP Site: 194.109.6.26 

You must be sure to download: freeswan-1.9.tar.gz 


Pristine source 

If you don’t use the RPM package to install this program, it will be difficult for you to locate all 
installed files into the system in the eventuality of an updated in the future. To solve the problem, 
it is a good idea to make a list of files on the system before you install FreeS/WAN, and one 
afterwards, and then compare them using the diff utility of Linux to find out what files are 
placed where. 


e Simply run the following command before installing the software: 
root@deep /root find /* > Freeswanl 


e And the following one after you install the software: 
root@deep /root find /* > Freeswan2 


e Then use the following command to get a list of what changed: 
root@deep /root diff Freeswanl Freeswan2 > Freeswan-Installed 

















With this procedure, if any upgrade appears, all you have to do is to read the generated list of 
what files were added or changed by the program and remove them manually from your system 
before installing the new software. Related to our example above, we use the /root directory of 
the system to stock all generated list files. 


Prerequisites 

The installation of IPSEC FreeS/WAN Virtual Private Network software requires some 
modification of your original kernel since FreeS/WAN must be included and incorporated in your 
kernel before you can use it. 





For this reason the first step in installing FreeS/WAN software is to go to the Linux Kernel section 
in this book and follow the instructions on how to install the Linux Kernel on your system (even if 
you have already done this before) and come back to “Linux FreeS/WAN VPN” (this section) after 
you have executed the “make dep; make clean” commands, but before the “make bzImage” 
command in the Linux Kernel section. 
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CAUTION: It is highly recommended to not compile anything in the kernel with optimization flags if 
you intend to use and install the FreeSWAN software on your system. Any optimization flags 
added to the Linux kernel will produce errors messages in the FreeSWAN IPSEC software when 
it tries to run; this is an important warning to note, or else nothing will work with FreeSWAN. The 
optimization flags documented in Chapter related to Linux Kernel, “Securing & Optimizing Kernel” 
apply without any problems to all sections and chapters of this book with the single exception of 
the FreeSWAN IPSEC software. Once again, | repeat, don’t use or add any optimization options 
or flags into your Linux kernel when compiling and patching it to support FreeSWwAN. 











Compiling - Optimizing & Installing FreeS/WAN 

Below are the required steps that you must make to compile and optimize the FreeS/WAN 
software before installing it into your Linux system. Don’t forget that your Linux kernel must be 
pre-configured as described previously before going into the following steps. 


Step 1 

Once Linux Kernel is pre-configured and you get the FreeS/WAN program from the main 
software site you must copy it to the /var/tmp directory and change to this location before 
expanding the archive. 


e These procedures can be accomplished with the following commands: 
[root@deep /]# cp freeswan-version.tar.gz /var/tmp/ 
[root@deep /]# cd /var/tmp/ 

[root@deep tmp]# tar xzpf freeswan-version.tar.gz 


Step 2 
After that, move into the newly created FreeS/WAN directory then configure, compile and 
optimize it. 


e To move into the top-level directory of FreeS/WAN distribution use the command: 
[root@deep tmp]# cd freeswan-1.9/ 


Step 3 

You must modify the Makefile under the FreeS/WAN source directory and subdirectories 
named utils, klips/utils, Pluto, and 1ib to specify installation paths. We must modify 
these files to be compliant with Linux file system structure and install FreeS/WAN files under our 
PATH environment variable. 


e Edit the Makefile file (vi Makefile) and change all of the targeted lines in the order 
shown below: 


PUBDIR=S$ (DESTDIR) /usr/local/sbin 





To read: 


PUBDIR=S (DESTDIR) /usr/sbin 
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REALPRIVDIR=/usr/local/lib/ipsec 


To read: 


REALPRIVDIR=/usr/lib/ipsec 





MANTREE=S$ (DESTDIR) /usr/local/man 














To read: 


MANTREE=S (DESTDIR) /usr/share/man 


CONFDIR=$ (DESTDIR) /etc 





To read: 


CONFDIR=/etc 


Step 3.1 


e Edit the Makefile file of the subdirectory utils (vi utils/Makefile) and change 
all of the targeted lines in the order shown below: 


PUBDIR=/usr/local/sbin 


To read: 


PUBDIR=/usr/sbin 


PRIVDIR=/usr/local/lib/ipsec 


To read: 


PRIVDIR=/usr/lib/ipsec 


REALPRIVDIR=/usr/local/lib/ipsec 





To read: 


REALPRIVDIR=/usr/lib/ipsec 





MANTREE=/usr/local/man 











To read: 


MANTREE=/usr/share/man 
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Step 3.2 





e Edit the Makefile file of the subdirectory klips/utils (vi 
klips/utils/Makefile) and change all of the targeted lines in the order shown 
below: 


CFLAGS=-02 -I../net/ipsec -I../../lib -g 


To read: 


CFLAGS=-03 -I../net/ipsec -I../../lib -g 


BINDIR=/usr/local/lib/ipsec 


To read: 


BINDIR=/usr/1lib/ipsec 





MANTREE=/usr/local/man 











To read: 


MANTREE=/usr/share/man 


Step 3.3 


e Edit the Makefile file of the subdirectory pluto (vi pluto/Makefile) and change 
all of the targeted lines in the order shown below: 


BINDIR=/usr/local/lib/ipsec 
To read: 


BINDIR=/usr/1lib/ipsec 





MANTREE=/usr/local/man 











To read: 


MANTREE=/usr/share/man 


Step 3.4 


e Edit the Makefile file of the subdirectory lib (vi lib/Makefile) and change the 
following line: 














MANTREE=/usr/local/man 


To read: 


MANTREE=/usr/share/man 
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Step 3.5 


e Edit the Makefile file of the subdirectory libdes (vi libdes/Makefile) and 
change all of the targeted lines in the order shown below: 


LIBDIR=/usr/local/lib 


To read: 


LIBDIR=/usr/1lib 


BINDIR=/usr/local/bin 


To read: 


BINDIR=/usr/bin 


INCDIR=/usr/local/include 


To read: 


INCDIR=/usr/include 


MANDIR=/usr/local/man 


To read: 


MANDIR=/usr/share/man 


All of the above changes (step3 to step 3.5), will relocate all files related to the FreeS/WAN 
software to the destination target directories we have chosen in order to be compliant with the 
Linux file system structure. 


Step 4 

Now, we must make a list of files on the system before you install the software, and one 
afterwards, then compare them using the diff utility to find out what files are placed where and 
finally install FreeS/WAN in the server: 


root@deep freeswan-1.9]# make insert 

root@deep freeswan-1.9]# make programs 

root@deep freeswan-1.9]# cd 

root@deep /root]# find /* > Freeswanl 

root@deep /root]# ed /var/tmp/freeswan-1.6/ 

root@deep freeswan-1.9]# make install 

root@deep freeswan-1.9]# ed 

root@deep /root]# find /* > Freeswan2 

root@deep /root]# diff Freeswanl Freeswan2 > Freeswan-Installed 





The make insert command will creates a symbolic link /usr/src/linux/net/ipsec, 
pointing to the KLIPS source directory. It patches some kernel files, where necessary, to know 
about KLIPS and/or to fix bugs. It also adds its default configuration to the kernel configuration 
file, and finally, it makes the KLIPS communication file, /dev/ipsec, if it's not already there. 
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The make programs command builds the libraries, Pluto, and various user-level utilities. The 
make instal11 will install the Pluto daemon and user-level utilities, and set things up for boot- 
time start-up. 


Step 5 

Once the program is installed into the system, we must return to the /usr/src/linux directory 
and execute the following commands to reconfigure and install the kernel with FreeS/WAN VPN 
support enable: 


[root@deep freeswan-1.9]# ed /usr/srce/linux/ 
[root@deep linux]# make config 








WARNING: The difference with the make config command we used before to configure the kernel 
is that now a new section related to FreeS/WAN has been included in our kernel configuration, 
and for this reason we must reconfigure the kernel to customize the IPSec options to be a part of 
the kernel. 





The first thing you need to do is ensure that your kernel has been built with FreeS/WAN support 
enabled. In the 2.4 kernel version, a new section related to Frees/WAN VPN support named 
“TPSec options (FreeS/WAN)” should appear in your kernel configuration after you have 
patched the kernel with the FreeS/WAN program as descibed above. You need ensure that you 
have answered yY to the following questions under the new kernel section: IPSec options 
(FreeS/WAN). 


IPSec options (FreeS/WAN) 

IP Security Protocol (FreeS/WAN IPSEC) (CONFIG_IPSEC) [Y/n/?] 

IPSEC: IP-in-IP encapsulation (CONFIG_IPSEC_IPIP) Y/n/?] 

IPSEC: PF_KEYv2 kernel/user interfac (CONFIG_IPSEC_PFKEYv2) [Y/n/?] 
IPSEC: Enable ICMP PMTU messages (CONFIG_IPSEC_ICMP) [Y/n/?] 

IPSEC: Authentication Header (CONFIG_IPSEC_AH) [Y/n/?] 

HMAC-MD5 authentication algorithm (CONFIG_IPSEC_AUTH_HMAC_MD5) [Y/n/?] 
HMAC-SHA1 authentication algorithm (CONFIG_IPSEC_AUTH_HMAC_SHA1) [Y/n/?] 
IPSEC: Encapsulating Security Payload (CONFIG_IPSEC_ESP) [Y/n/?] 

3DES encryption algorithm (CONFIG_IPSEC_ENC_3DES) [Y/n/?] 

IPSEC Debugging Option (DEBUG_IPSEC) [Y/n/?] 























































































































NOTE: All the customizations you made to your kernel the first time you ran the make config, 
make dep, and make clean commands will be preserved, so you don’t need to reconfigure every 
part of your kernel; Just the new section added by FreeS/WAN named “IPSec options 
(FreeS/WAN)” is required, as shown above. 





Some networking options will get turned on automatically, even if you previously turned them off; 
This is because IPSEC needs them. Whichever configuration program you are using, you should 
pay careful attention to a few issues: in particular, do NOT disable any of the following under the 
“Networking Options” of your kernel configuration: 





Kernel/User netlink socket (CONFIG_NETLINK) [Y/n/?] 
Netlink device emulation (CONFIG_NETLINK_DEV) [Y/n/?] 
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Step 6 
Now that we have included in the kernel the support for FreeS/WAN VPN, we can compile and 
install the new kernel. 


e Return to the /usr/src/linux directory and run the following commands again: 
[root@deep linux]# make dep; make clean; make bzImage 


After execution of the above commands, follow the rest of the instructions in the Linux Kernel 
chapter of this book as normal to install the kernel. At this point, after you have copied and 
installed your new kernel image, system.map, or modules (if necessary), and set the 
lilo.conf file to load the new kernel, you must edit and customize the configuration files 
related to FreeS/WAN “ipsec.conf” and “ipsec.secrets” before rebooting your system. 


Step 7 

Once compilation, optimization and installation of the software have been finished, we can free up 
some disk space by deleting the program tar archive and the related source directory since they 
are no longer needed. 


e Todelete FreeS/WAN and its related source directory, use the following commands: 
[root@deep /]# cd /var/tmp/ 
[root@deep tmp]# rm -rf freeswan-version/ 
[root@deep tmp]# rm -f freeswan-version.tar.gz 


The rm command as used above will remove all the source files we have used to compile and 
install FreeS/WAN. It will also remove the FreeS/WAN compressed archive from the /var/tmp 
directory. 


Configuring FreeS/WAN 
After building FreeS/WAN, your next step is to verify or change, if necessary options in your 
FreeS/WAN configuration files. Those files are: 


¥ /etc/ipsec.conf (The FreeS/WAN Configuration File) 
Y¥ /etc/ipsec.secrets (The FreeS/WAN Configuration File to store secret keys) 


/etc/ipsec.conf: The FreeS/WAN Configuration File 

The configuration file for FreeS/WAN (/etc/ipsec.conf) allows you to configure your IPSEC 
configurations, control information and connections types. IPSEC currently supports two types of 
connections: Manually keyed and Automatically keyed. 








The difference is strictly in how they are keyed. Manually keyed connections use keys stored in 
the /etc/ipsec.conf file. This type of connection is less secure than automatically keyed. 
Automatically keyed connections use keys automatically generated by the Pluto key negotiation 
daemon. The key negotiation protocol, used by default and named IKE, authenticates the other 
system using shared secrets stored in /etc/ipsec.secrets file. For these reasons, we will 
use and show you the automatically keyed connection that is more secure than the manually 
keyed connection (it is highly recommended that you use the automatically keyed connection). 





In our example configuration below, we configure a sample tunnel with a firewall-penetrating 
tunnel, and we assume that firewalling is being done on the left and right side. We choose to 
show you this configuration since we assume it is what most users and companies will use. 
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Also, it allows us to play with more options in the configuration file ipsec.conf for automatically 
keyed connections. Different configurations exist and you may consult the “doc/examples’ file 
under the subdirectory “doc” of the Frees/WAN source directory for more information and other 
possible configurations. 


SubnetDeep======Deep------ Deepgate................ cee Mailgate------- Mail======SubnetMail 
Untrusted net 


leftsubnet = SubnetDeep (192.168.1.0/24) 

left = Deep (deep.openna.com) 

leftnexthop = Deepgate (the first router in the direction or ISP router for deep.openna.com) 
Internet = Untrusted net 

rightnexthop = Mailgate (the first router in the direction or ISP router for mail.openna.com) 
right = Mail (mail.openna.com) 

rightsubnet = SubnetMail (192.168.1.0/24) 


SubnetDeep SubnetDeep is the IP network address of your private internal network on the first 
\ 192.168.1.0/24 / gateway. eth1 is attached to the internal network. 
| Se + 
| Deep is the IP address of your first Gateway. ethO is attached to the Internet. 
Deep 
\ 208.164.186.1 / Deepgate is the IP address of the first router in the direction of your second 
Sa + gateway (mail.openna.com) or your ISP router. 
| 
Deepgate INTERNET is the untrusted network. 
\ 205.151.222.250 / 
spon ences nn nn nn nc nnn + Mailgate is the IP address of the first router in the direction of your first gateway 


(deep.openna.com) or your ISP router. 
INTERNET 
| Mail is the IP address of your second Gateway. ethO is attached to the Internet. 
Mailgate 
/ 205.151.222.251 \ SubnetMail is the IP network address of your private internal network on the 
space rence rene nn nnnnnnnnnnn + second gateway. eth1 is attached to the internal network. 


Mail 


| 
SubnetMail 
/ 192.168.1.0/24 \ 


We must edit the ipsec.conf file (vi /etc/ipsec.conf) and change the default values to fit 
our specifications for IPSEC configuration and communication. Currently there are two types of 
section in this file (/etc/ipsec.conf): a “config” section, which specifies general 
configuration information for IPSEC, and a “conn” section which specifies an IPSEC connection. 
lts contents are not security-sensitive unless manual keying is being done (recall, manual keying 
is not recommended for security reasons). 











The first section type, named config setup, is the only config section known to the IPSEC 
software containing overall setup parameters for IPSEC that apply to all connections, and 
information used when the software is being started. 
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The second type, named conn, contains a connection specification defining a network 
connection to be made using IPSEC. The name it is given is arbitrary, and is simply used to 
identify the connection to ipsec_auto(8) and ipsec_manual (8). 








# /etc/ipsec.conf — FreeS/WAN IPSEC configuration file 


# More elaborate and more varied sample configurations can be found 
# in doc/examples. 


# basic configuration 

config setup 
interfaces="ipsec0=etho" 
klipsdebug=none 
plutodebug=none 
plutoload=%search 
plutostart=%search 





# sample connection 

conn deep-mail 
left=208.164.186.1 
leftsubnet=192.168.1.0/24 
leftnexthop=205.151.222.250 
right=208.164.186.2 
right subnet=192.168.1.0/24 
rightnexthop=205.151.222.251 
keyingtries=0 
auth=ah 
auto=start 





This tells ipsec. conf file to set itself up for this particular configuration setup with: 


interfaces="ipsecO=eth0" 

This option specifies which appropriate virtual and physical interfaces for IPSEC to use. The 

default setting, “interfaces=%defaultroute’, will look for your default connection to the 

Internet, or your corporate network. Also, you can name one or more specific interfaces to be 
used by FreeS/WAN. For example: 











interfaces="ipsec0=eth0o" 
interfaces="ipsec0O=ethO ipsecl=ppp0" 








Both set the eth0O interface as ipsec0. The second one, however, also supports IPSEC over a 
PPP interface. If the default setting “interfaces=%defaultroute’ is not used, then the 
specified interfaces will be the only ones this gateway machine can use to communicate with 
other IPSEC gateways. 





klipsdebug=none 
This option specifies the debugging output for KLIPS (the kernel IPSEC code). The default value 
none, means no debugging output and the value a11 means full output. 





plutodebug=none 
This option specifies the debugging output for the Pluto key. The default value, none, means no 
debugging output, and the value a11 means full output. 


plutoload=%ssearch 

This option specifies which connections (by name) to load automatically into memory when 
Pluto starts. The default is none and the value search loads all connections with auto=add 
or auto=start. 





657 


FreeS/WAN|2 
CHAPTER |7 


plutostart=ssearch 
This option specifies which connections (by name) to automatically negotiate when Pluto starts. 
The default is none and the value search starts all connections with auto=start. 


conn deep-mail 

This option specifies the name given to identify the connection specification to be made using 
IPSEC. It’s a good convention to name connections by their ends to avoid mistakes. For example, 
the link between deep. openna.comand mail.openna.com gateways server can be named 
"deep-mail", or the link between your Montreal and Paris offices, "mont real-paris". 





Note that the names “deep-mail” or whatever you have chosen should be the same in the 
ipsec.conf file on both gateways. In other words, the only change you should make in the 
/etc/ipsec.conf file on the second gateway is changing the “interfaces=” line to match 
the interface the second gateway uses for IPSEC connection, if, of course, it’s different from the 
first gateway. For example, if the interface et ho is used on the both gateways for IPSEC 
communication, you don’t need to change the line “interfaces=” on the second gateway. On 
the other hand, if the first gateway use et h0 and the second use eth1, you must change the line 
“interfaces=” on the second gateway to match the interface eth1. 








left=208.164.186.1 
This option specifies the IP address of the gateway's external interface used to talk to the other 
gateway. 


leftsubnet=192.168.1.0/24 
This option specifies the IP network or address of the private subnet behind the gateway. 


leftnexthop=205.151.222.250 
This option specifies the IP address of the first router in the appropriate direction or ISP router. 


right=208.164.186.2 


This is the same explanation as “left=” but for the right destination. 


0) 


rightsubnet=192.168.1.0/24 


This is the same explanation as “left subnet=” but for the right destination. 


0) 





rightnexthop=205.151.222.251 
This is the same explanation as “leftnexthop=” but for the right destination. 











oO 








keyingtries=0 
This option specifies how many attempts (an integer) should be made in (re)keying negotiations. 
The default value 0 (retry forever) is recommended. 


auth=ah 

This option specifies whether authentication should be done separately using AH (Authentication 
Header), or be included as part of the ESP (Encapsulated Security Payload) service. This is 
preferable when the IP headers are exposed to prevent man-in-the-middle attacks. 





auto=start 
This option specifies whether automatic startup operations should be done at IPSEC startup. 
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NOTE: A data mismatch anywhere in this configuration “ipsec.conf” will cause FreeS/WAN to 
fail and to log various error messages. 





/etc/ipsec.secrets: The FreeS/WAN File to store Secret Keys 

The file ipsec. secrets stores the secrets used by the pluto daemon to authenticate 
communication between both gateways. Two different kinds of secrets can be configured in this 
file, which are preshared secrets and RSA private keys. You must check the modes and 
permissions of this file to be sure that the super-user “root” owns the file, and its permissions are 
set to block all access by others. 


Step 1 

An example secret is supplied in the ipsec. secrets file by default. You should change it by 
creating your own. With automatic keying you may have a shared secret up to 256 bits, which is 
then used during the key exchanges to make sure a man in the middle attack does not occur. 


e Tocreate anew shared secret, use the following commands: 
[root@deep /]# ipsec ranbits 256 > temp 


New, random keys are created with the ranbits (8) utility in the file named “temp”. The ranbits 
utility may pause for a few seconds if not enough entropy is available immediately. Don’t forget to 
delete the temporary file as soon as you are done with it. 


Step 2 

Now that our new shared secret key has been created in the “temp” file, we must put it in the 
/etc/ipsec.secrets file. When editing the ipsec. secrets file, you should see something 
like the following appearing in your text editor. Each line has the IP addresses of the two 
gateways plus the secret. It should look something like this: 

This file holds shared secrets which are currently the only inter-Pluto 
authentication mechanism. See ipsec_pluto(8) manpage. Each secret is 
oversimplifying slightly) for one pair of negotiating hosts. 








The shared secrets are arbitrary character strings and should be both 
long and hard to guess. 





Note that all secrets must now be enclosed in quotes, even if they have 
no white space inside them. 











10.0.0.1 11.0.0.1 "4xVS1LkKVUTTULkKVRRTnTujSm444jRuUlm1kk1lku2nkW3nnVu 
V2W3j jRRnulmlkmU1Run5VSnnRT" 


e Edit the ipsec.secrets file (vi /etc/ipsec.secrets) and change the default 
secrets keys: 


10.0.0.1 11.0.0.1 " JjxVSLKVUTTuLKVRRTnTujSm444jRuUlmlkklku2nkW3nnVu 
V2WjjJRRnulmlkmU1Run5SVSnnRT " 


To read: 


208.164.186.1 208.164.186.2 
"0x9748cc31_2e99194f d230589b_cd846b57_dc070b01_74b66£34_19c40ala_804906ed" 
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Where “208.164.186.1" and “208.164.186.2" are the IP addresses of the two gateways and 
"0x9748cc031_2¢99194f_d230589b_cd846b57_dc070b01_74b66£34_19c40ala_804906 
ed" (note that the quotes are required) is the shared secret we have generated above with the 
command “ipsec ranbits 256 > temp” inthe “temp’ file. 


Step 3 

The files ipsec.conf, and ipsec. secrets must be copied to the second gateway machine so 
as to be identical on both ends. The only exception to this is the ipsec. conf file, which must 
have in it a section labeled by the line config setup with the correct interface settings for the 
second gateway, if they differ from the first. The ipsec. secrets file, contrary to the RSA 
private key, should have the same-shared secrets on the two gateways. 








WARNING: The file /etc/ipsec.secrets should have permissions rw------- (600) and be 
owned by the super-user “root”. The file /etc/ipsec.conf is installed with permissions rw-r- 
-r— (644) and must be owned also by “root”. 





Configuring RSA private keys secrets 

Recall that currently with FreeSWAN software there are two kinds of secrets: preshared secrets 
and RSA private keys. The preshared secrets are what we have configured in our ipsec.conf 
and ipsec.secrets example, above. Some people may prefer to use RSA private keys for 
authentication by the Pluto daemon of the other hosts. If you are in this situation, you will have 
to make some minor modifications to your ipsec. conf and ipsec.secrets files as described 
in the following steps: 


You need to create a separate RSA key for *“each* gateway. Each one gets its private key in its 
own ipsec.secrets file, and the public keys go in leftrsasigkey and rightrsasigkey 
parameters in the conn description of ipsec.conf file, which goes to both. 


Step 1 
Create a separate RSA key for “each* gateway: 


e On the first gateway (e.i. deep), use the following commands: 
root@deep /]# cd / 

root@deep /]# ipsec rsasigkey --verbose 1024 > deep-keys 
computing primes and modulus... 

getting 64 random bytes from /dev/random 

looking for a prime starting there 

found it after 30 tries 

getting 64 random bytes from /dev/random 

looking for a prime starting there 

found it after 230 tries 

swapping primes so p is the larger 

computing (p-1)*(q-1l)... 

computing d... 

computing expl, expl, coeff... 

output... 
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e Onthe second gateway (e.i. mail), use the following commands: 
root@mail /]# ed / 

root@mail /]# ipsec rsasigkey --verbose 1024 > mail-keys 
computing primes and modulus... 

getting 64 random bytes from /dev/random 

looking for a prime starting there 

found it after 30 tries 

getting 64 random bytes from /dev/random 

looking for a prime starting there 

found it after 230 tries 

swapping primes so p is the larger 

computing (p-1)*(q-1l)... 

computing d... 

computing expl, expl, coeff... 

GULPULAss 





The rsasigkey utility generates an RSA public and private key pair of a 1024-bit signature, and 
puts it in the file deep—keys (mail—keys for the second command on the second gateway). The 
private key can be inserted verbatim into the ipsec.secrets file, and the public key into the 
ipsec.conf file. 








WARNING: The rsasigkey utility may pause for a few seconds if not enough entropy is available 
immediately. You may want to give it some bogus activity such as random mouse movements. 
The temporary RSA “deep-keys” and “mail-keys” files should be deleted as soon as you are 
done with it. Don’t forget to delete the deep-keys and mail-keys RSA files. 





Step 2 
Modify your /etc/ipsec.conf files to use RSA public keys in *each* gateway: 


Edit you original ipsec.conf file (vi /etc/ipsec.conf) and add the following parameters 
related to RSA in the conn desciption of your ipsec.conf file on both gateway: 


# sample connection 

conn deep-mail 
left=208.164.186.1 
leftsubnet=192.168.1.0/24 
leftnexthop=205.151.222.250 
right=208.164.186.2 
right subnet=192.168.1.0/24 
rightnexthop=205.151.222.251 
keyingtries=0 
auth=ah 
authby=rsasig 
leftrsasigkey=<Public key of deep> 
rightrsasigkey=<Public key of mail> 
auto=start 





authby=rsasig 

This parameter specifies how the two security gateways should authenticate each other. The 
default value is secret for shared secrets. We must specify rsasig for RSA since we have decided 
to use RSA digital signatures. 
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leftrsasigkey=<Public key of deep> 

This parameter specifies the left participant's public key for RSA signature authentication. In our 
example, left is 208.164.186.1, and represents deep.openna.com, so we must put the RSA 
public key for deep on this line. 


rightrsasigkey=<Public key of mail> 

This parameter specifies the right participant's public key for RSA signature authentication. In our 
example, right is 208.164.186.2, and represents mail .openna.com, so we must put the RSA 
public key of mail on this line. 


You can retrieve the public key of deep in the RSA key file named “deep-keys”, and the public 
key of mail in the RSA key file named “mail-keys”, that we have created in step 1 above. 
These files will look like this: 


RSA keys for gateway deep (deep-keys): 
[root@deep /]# ed / 
[root@deep /]# vi deep-keys 


# 1024 bits, Fri Feb 4 05:05:19 2000 

# for signatures only, UNSAFE FOR ENCRYPTION 

#pubkey=0x010395daeelbe05£3038ae529ef2668afd7 9F5£F1b16203c9Iceaef801cea9cbh74 
bcfb51a6ecc08890d3eb4b5470c0Fc35465c8ba2ce9d1145f£07b5427e04cf£4a38ef98a7£29edcb 
4d7689£2da7a69199e4318b4c8d0ea25d33e4f084186a2a54F4b4cecl2ccala5deac3b19d561c16 
a76bab772888f1fd71laa08£08502a141b611£ 

Modulus: 
Ox95daeelbe05f3038ae529ef2668afd79F5FF1b16203c9Iceaef801lcea9ch74bcfb51labecc08890 
d3eb4b5470c0fc35465c8ba2ce9d1145ff£07b5427e04cf4a38ef 98a7£29edcbh4d7689f2da7a6919 
9e4318b4c8d0ea25d33e4f084186a2a54 fF 4b4cecl2ccala5deac3b19d561cl16a76bab772888f1fd 
7laa08f08502a141b611f 
PublicExponent: 0x03 

# everything after this point is secret 

PrivateExponent: 
0x63e74967eaea2025c98cb69f6eEf0753a6a3f£6764157dbdf1£50013471324dd352366f48805b0b 
37£232384b2b52ce2ee85d173468b62eaa052381a9588a317b3a1324d01a531a4lfalvadd6cS5efbd 
d88f4718feed2bc024 6be924e81bb90 F03e49ceedf7af0dd48f06F265b519600bd082cbebbd27ea 
a7icc0288dflecc3b062b 

Primel: 
0xc5b471a88b025dd0 9d4bd7b61840f20d182d9b75bb7cl1lleb4bd78312209e3aeeT7ebfeb632304db 
6df5e211d2laf7fee79c5d4554 6bea3ccc7b744254f6f0b847£ 
Prime2: 
Oxc20a99feeafe79767122409b693be75£15elaef76d098ab12579624aec708e85e2c5dd62080c3 
a64363f2f45b0e96cb4aef8918ca333a326d3f6dc2c72b75361 
Exponentl: 
0x83cdal1b0756e935be328fcebad5f6b36573bcf9I2Ta80bF2328fachb6c0697cI9efF2a9976cade7 
9Yea3ecO0bel674fFF££4512e8d8e2f29c2888524d818dFt£9f5d02fF 
Exponent2: 
Ox815c66a9flfefba44b6c2b124627ef 94b9411F4F£9e065c7618 Fb9b6dc9daN5f03ec83e8ec055d7 
c42ced4ca2e75£0£3231£5061086ccd176£37£9e81ldalcf8ceb 

Coefficient: 
0x10d954c9e2b8d11f£4db1b233ef37ff0a3cecfffad89ba5d515449b007803f577e3bd7£0183ced 
d£d805466d62£767£3£5a5731a73875d30186520f1753a7e325 























RSA keys for gateway mail (mail-keys): 
[root@mail /]# ed / 
[root@mail /]# vi mail-keys 


662 


FreeS/WAN|2 
CHAPTER |7 


# 1024 bits, Fri Feb 4 04:46:59 2000 

# for signatures only, UNSAFE FOR ENCRYPTION 

#pubkey=0x01037631b81£00d5e6£888c542d44dbb784cd3646£084ed96£942d341c7c4686c 
bd405b805dc728£8697475£11e8b1dd797550153a3f0d4££0£2b274b70a2ebc88£073748d1c1c88 
2ldc6be6a2f£0064F3be7 F8e4549F8ab9af64944£829b014788dd202c£7d2e320cab666f5e7a197e 
64efe0bfee94e92ce4dad82d5230c57b8 9edf 

Modulus: 
0x7631b81f00d5e6£888c542d44dbb784cd3646f084ed96f942d341c7c4686chd405b805dc728f8 
697475f11e8b1dd797550153a3f0d4ff0F2b274b70a2ebc88f073748dlclc8821ldcb6beba2f0064F 
3be7f£8e4549f 8ab9af64944F829b014788dd202cf7d2e320cab666f5e7al97eb64efeN0bfee94e92c 
e4dad82d5230c57b8 9edf 

PublicExponent: 0x03 

# everything after this point is secret 

PrivateExponent: 
Ox4echd014ab3944a5b08381le2de7cfadde242f4b03490£50d737812£d8459dd3803d003e84c5fa 
f0f84ea0bf07693a64e35637c2a08df£5£721a324b1747db09f62c871d5e11711251b845ae7 6753 
d4ef967c494b0def4£5d0762f65da603bc04c41b4c6cab4c413a72c633b608267ae2889C162a3d5 
bc07ee083b1c6e038400b 

Primel: 
Oxc7£7cc8feaaac65039c39333b878bffd8F9I5b0dc22995c553402a5b287F341012253e9F25b839 
83c936f6ca51292 6bebee3d5403bf9F4557206cb6bbfd9aac899 

Prime2: 
0x975015cb603ac1d488dc876132d8bc83079435d2d3395c03d5386b5c004eadd4d7b01b3d86aad 
0a2275d2d6b791a2abe50d07740b7725679811a32ca22db97637 
Exponentl: 
0x854fddb5471c84357bd7b777d0507ffe5fb92092c1bb92e37801c3cc5aa22b5616e29bfb6e7adl 
028624a486e0c619d47f£428e2ad2a6a2e3a159d9d2a911c85bb 
Exponent2: 
0x64e00e87957c81385b3dat9621e5d302050d07937377b92ad38d047 92aadfle8de52012290471le 
06cla3e1e47a61171d435e4f807a4c39a6561177316c9264ecf 

Coefficient: 
0x6£087591lbecddc210c2ee0480e30beeb25615a3615203cd3cef65e5al1d476Ffd9602ca0ef10d9b 
858edb22db42c975fb71883a470b43433a7Tbe57dfJ7ace4a0a3f 


























Extract and copy the public RSA key files of deep and mail to your ipsec.conf files as shown 
below. You can locate the line related to the public key by a sentence beginning with the 
commented-out: “#pubkey=" line. 


# sample connection 

conn deep-mail 
left=208.164.186.1 
leftsubnet=192.168.1.0/24 
leftnexthop=205.151.222.250 
right=208.164.186.2 
right subnet=192.168.1.0/24 
rightnexthop=205.151.222.251 
keyingtries=0 
auth=ah 
authby=rsasig 
leftrsasigkey=0x010395daeelbe05f3038ae529ef2668afd79f5££1b16203c9ceaef801ce 
a9cb74bcfb51ab6ecc088 90d3eb4b5470c0Fc35465c8ba2ce9d1145f£07b5427e04cf4a38ef9 
8a7£29edcb4d7 68 9£2da7a69199e4318b4c8d0ea25d33e4F084186a2a54£F4b4cecl2ccala5d 
eac3b19d561c16a76bab772888f1£d71aa08£08502a141b611F 
rightrsasigkey=0x01037631b81f£00d5e6£888c542d44dbb78 4cd3646£084ed96£942d341c 
70468 6cbd405b805dc728£8697475£11e8b1dd797550153a3f0d4£f£0£2b274b70a2ebc88£07 
3748d1clc8821dc6be6a2f£0064F3be7£8e4549F8ab9af64944F829b014788dd202c£7d2e320 
cab666f5e7al97e64efeNbfee94e92ce4dad82d5230c57b8 9edf 
auto=start 
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NOTE: Don’t forget that, in this example, the “left rsasigkey=” parameter contains the public 
key of deep and the “rightrsasigkey=” parameter contains the public key of mail. 





Step 3 
Modify your /etc/ipsec.secrets files to use RSA private keys in *each* gateway: 


Edit your original ipsec. secrets file (vi /etc/ipsec.secrets) and add the RSA private 
key for authentication on both gateways: 


The ipsec.secrets file for gateway deep: 
[root@deep /]# vi /etc/ipsec.secrets 


208.164.186.1 208.164.186.2 
"0x9748cc31_2e99194f d230589b_cd846b57_dc070b01_74b66£34_19c40ala_804906ed" 


You must change your original ipsec. secrets file as shown above to look like the following on 
both gateways. It is important to note that the private keys are not the same on both gateways, 
deep and mail. The private key for deep comes from the RSA key file “deep-keys”, while the 
private key for mail comes from the RSA key file “mail-keys”: 


208.164.186.1 208.164.186.2: RSA { 

Modulus: 
Ox95daeelbe05f3038ae529ef2668afd7IF5FfF1b16203c9Iceaef 801 ceaIchb7 4bcfb51labecc08890 
d3eb4b5470c0fc35465c8ba2ce9d1145ff07b5427e04cf4a38ef 98a7 £29edcbh4d7689f2da7a6919 
9e4318b4c8d0ea25d33e4f084186a2a54 F4b4cecl2ccala5deac3b19d561cl1l6a76bab772888f1fd 
Tlaa08f08502a141b611f 

PublicExponent: 0x03 

# everything after this point is secret 

PrivateExponent: 
0x63e74967eaea2025c98cb69f b6ef0753ab6a3f£6764157dbdf1£50013471324dd352366f48805b0b 
37£232384b2b52ce2ee85d173468b62eaa052381a9588a317b3al324d01a531a4lfalvadd6c5efbd 
d88f£4718feed2bc024 6be924e81bb90 F03e49ceedf7af0dd48f06F265b519600bd082cbebbd27ea 
a7icc0288dflecc3b062b 

Primel: 
0xc5b471a88b025dd0 9d4bd7b61840f20d182d9b75bb7cl1leb4bd78312209e3aeeT7ebfeb632304db 
6df5e211d2laf7fee79c5d4554 6bea3ccc7b744254f6f0b847£ 

Prime2: 
Oxc20a99feeafe79767122409b693be75£f15elaef76d098ab12579624aec708e85e2c5dd62080c3 
a64363f2f45b0e96cbh4aef8918ca333a326d3f6dc2c72b75361 
Exponentl: 
0x83cdal1b0756e935be328fcebad5f6b36573bcf9I2Ta80bF2328fachb6c0697c9efF2a9976cade7 
9Yea3ecO0bel674£F£4512e8d8e2f29c2888524d818dF£9F5d02fF 
Exponent2: 
Ox815c66a9flfefba44b6c2b124627ef 94b9411F4F£9e065c7618 Fb9b6dc9daN5Ff03ec83e8ec055d7 
c42ced4ca2e75£0£3231£5061086ccd176£37£9e81dalcf8ceb 

Coefficient: 
0x10d954c9e2b8d11f4db1b233ef37ff0a3cecfffad89ba5d515449b007803f577e3bd7£0183ced 
d£d805466d62£767£3£5a5731a73875d30186520f1753a7e325 


} 
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The ipsec.secrets file for gateway mail: 
[root@mail /]# vi /etc/ipsec.secrets 


208.164.186.1 208.164.186.2: RSA { 

Modulus: 
Ox95daeelbe05f3038ae529ef2668afd7IF5FfF1b16203c9ceaef 801 cea¥ch7 4bcfb51labecc08890 
d3eb4b5470c0fc35465c8ba2ce9d1145ff07b5427e04cf4a38ef 98a7 £29edch4d7689f2da7a6919 
9e4318b4c8d0ea25d33e4f084186a2a54f4b4cecl2ccala5deac3b19d561cl6a76bab772888f1fd 
7laa08f08502a141b611f 

PublicExponent: 0x03 

# everything after this point is secret 

PrivateExponent: 
0x63e74967eaea2025c98cb69f 6ef0753ab6a3f£6764157dbdf1£50013471324dd352366f48805b0b 
37£232384b2b52ce2ee85d173468b62eaa052381a9588a317b3al324d01a531a4lfavadd6c5efbd 
d88f4718feed2bc024 6be924e81bb90F03e4 9ceedf7af0dd48f06F265b519600bd082cbebbd27ea 
a7icc0288dflecc3b062b 

Primel: 

Oxc5b471a88b025dd0 9d4bd7b61840f20d182d9b75bb7cl1lleb4bd7 831220 9e3aeeT7ebfeb632304db 
6df5e211d2laf7fee79c5d4554 6bea3ccc7b744254f6f0b847£ 

Prime2: 
Oxc20a99feeafe79767122409b693be75£f15elaef76d098ab12579624aec708e85e2c5dd62080c3 
a64363f2f45b0e96cb4aef8918ca333a326d3f6dc2c72b75361 
Exponentl: 
0x83cdal1b0756e935be328fcebad5f6b36573bcf9I2Ta80bF2328fachb6c0697cI9efF2a9976cade7 
9Yea3ecO0bel674fFF£F£4512e8d8e2Ff29c2888524d818dF£9Ff5d02fF 
Exponent2: 
Ox815c66a9flfefba44b6c2b124627ef 94b9411F4F£9e065c7618 Fb9b6dc9daN5f03ec83e8ec055d7 
c42ced4ca2e75£0£3231£5061086ccd176£37£9e81dalcf8ceb 

Coefficient: 
0x10d954c9e2b8d11f£4db1b233ef37ff0a3cecfffad89ba5d515449b007803f577e3bd7£0183ced 
d£d805466d62£767£3£5a5731a73875d30186520f1753a7e325 

} 











Authentication by RSA Signatures requires that each host have its own private key. The key part 
of an entry may start with a token indicating the kind of key. “RSA” signifies RSA private key and 
“P Sk” (which is the default) signifies PreShared Key. Since “PSk” is the default, we must specify 
“RSA”, so that we'll be able to use RSA private keys in this file (ipsec. secrets). The Super-user 
“root” should own the file ipsec. secrets, and its permissions should be set to block all access 
by others. 


Requiring network setup for IPSec 

There are some considerations you must ensure are correct before running FreeS/WAN 
software. These considerations are important if you don’t want to receive error messages during 
start up of your VPN. The following are the steps to follow: 


Step1 
You will need to enable TCP/IP forwarding on the both gateway servers. In Linux, this is 
accomplished by adding the following line: 


e To enable 1Pv4 forwarding on your Linux system, edit the /etc/sysctl.conf file (vi 
/etc/sysctl.conf) and add the following line: 


# Enable packet forwarding 
net.ipv4.ip_forward = 1 
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You must restart your network for the change to take effect. The command to restart the network 
is the following: 


Step 2 


To restart all network devices manually on your system, use the following command: 
[root@deep /]# /etc/re.d/init.d/network restart 

Setting network parameters [ 
Bringing up interface lo [OK] 
Bringing up interface eth0 [ 
Bringing up interface ethl [ 


Recall that automatically keyed connections use keys automatically generated by the Pluto key 
negotiation daemon. The pluto daemon will start up, try to connect to the Pluto daemon at the 


other e 





nd of the tunnel, and establish a connection. For this reason, an IPSEC gateway should 


have packet filters rules (in the firewall script file) permitting the following protocols to traverse the 
gateway when talking to other IPSEC gateway: 


v 
v 
v 








iptables -A INPUT -i SEXTERNAL 





UDP port 500 for IKE implemented by the Pluto daemon 
Protocol 50 for ESP encryption and/or authentication 
Protocol 51 for AH packet-level authentication 


Edit the iptables script file (vi /etc/rce.d/init.d/iptables) on both gateway 
machines, and add the following lines to allow IPSEC packets to traverse the remote 
network gateway to your network gateway and vice versa: 








FreeS/WAN IPSec VPN 





If you are using the FreeSWAN IPSec VPN, you will need to fill in the 
addresses of the gateways in the IPSECSG and the virtual interfaces for 
FreeS/Wan IPSEC in the FREESWANVI parameters. Look at the beginning of 
this firewall script rules file to set the parameters. 








= 























IPSECSG is a Space separated list of remote gateways. FREESWANVI is a 
Space separated list of virtual interfaces for FreeS/Wan IPSEC 
implementation. Only include those that are actually used. 














Allow IPSEC protocol from remote gateways on external interface 
IPSEC uses three main types of packet: 

IKE uses the UDP protocol and port 500, 

ESP use the protocol number 50, and 

AH use the protocol number 51 
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-s SIPSECSG source-port -j ACCEPT 














iptables -A OUTPUT -o S$EXTERNAL_INTERFACE -p udp \ 


ip 


ip 


ip 


ip 





-d SIPSECSG -—-destination-port -j ACCEPT 














tables -A INPUT -i SEXTERNAL 
-s SIPSECSG source-port -—j ACCEPT 


H 
Pe) 
Hy 
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tables -A OUTPUT -o S$EXTERNAL_INTERFACE -p 50 \ 
-d SIPSECSG -—-destination-port -j ACCEPT 

















tables -A INPUT -i S$EXTERNAL_I 
-s SIPSECSG source-port -—j ACCEPT 
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Hy 
QD 
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tables -A OUTPUT -o SEXTERNAL 


H 
Pe) 
Hy 
> 
Q 
| 
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ol 
_ 
= 
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-d SIPSECSG --destination-port -j ACCEPT 


# Allow all traffic to FreeS/WAN Virtual Interface 
iptables -A INPUT -i S$FREESWANVI \ 

--source-port \ 

—--destination-port -j ACCEPT 























iptables -A OUTPUT -o S$FREESWANVI \ 
--source-port \ 
—-destination-port -j ACCEPT 

















# Forward anything from the FreeS/WAN virtual interface IPSEC tunnel 
iptables -A FORWARD -i SFREESWANVI \ 

--source-port \ 

—-destination-port -j ACCEPT 












































Where EXTERNAL_INTERFACE="eth0" # You external interface to the Internet. 
Where IPSECSG="208.164.186.2” # Space separated list of remote VPN gateways. 
Where FREESWANVI="ipsec0O” # Space separated list of virtual interfaces for FreeS/Wan. 








NOTE: See Chapter related to “Networking Firewall’, for more information. Don’t forget to 
add/check these firewall rules in the other gateway as well. 





Step 3 

The rp_filter subsystem (related to IP spoofing protection) must be turned off on both 
gateways for IPSEC to work properly. This is accomplished by checking if the value 0 (off) is set 
inthe /proc/sys/net/ipv4/conf/ipsec0/rp_filter and 
/proc/sys/net/ipv4/conf/eth0/rp_filter files respectively: 








e To check if the value 0 (off) is set in the rp_filter files, use the commands: 
[root@deep /]# cat /proc/sys/net/ipv4/conf/ipsecO/rp_ filter 


0 
[root@deep /]# cat /proc/sys/net/ipv4/conf/eth0O/rp_ filter 
0 








NOTE: The subdirectory “ipsec0O” in our example will be created only after the reboot of your 
system. So you may check the value of the “rp_filter’ file in the “ipseco” directory after your 
system has been restarted. 





e To set the value 0 (off) in the both rp_filter files manually, use the commands: 
[root@deep /]# echo 0 > /proc/sys/net/ipv4/conf/ipsec0O/rp_ filter 
[root@deep /]# echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_ filter 


Also you can put lines like the following in your firewall script files 
/etc/rc.d/init.d/iptables on the both gateways to automatically set these values to 0 
(off) and avoid making them manually: 








# Disable IP spoofing protection to allow IPSEC to work properly 
echo 0 > /proc/sys/net/ipv4/conf/ipsec0O/rp_filter 
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter 
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NOTE: In the example of the firewall script file above, we assume that eth0 is the interface you 
use for your connection. Of course if you use eth1 you must change ethO to eth1, and so on. 





If you forget this step you will receive error messages on your terminal such as the following 
during the start up of FreeSWAN IPSEC: 





ipsec_setup: WARNING: ipsec0O has route filtering turned on, KLIPS may not work 


ipsec_setup: (/proc/sys/net/ipv4/conf/ipsec0O/rp_filter = *1', should be 0) 
ipsec_setup: WARNING: eth0O has route filtering turned on, KLIPS may not work 
ipsec_setup: (/proc/sys/net/ipv4/conf/eth0O/rp_filter = *1', should be 0) 
Step 4 


It’s important to note that any masquerading rules for internal networks that use IPSEC must 
come after the rules allowing IPSEC related traffic (The step 2 and 3 above), or the machine will 
try to masquerade the packets, instead of them being passed over to IPSEC. 











Edit the iptables script file (vi /etc/rc.d/init.d/iptables) on both gateway machines 
and add/check the following lines to allow masqueraded packets to traverse the remote network 
gateway to your network gateway and vice versa: 





# Masquerade internal traffic. 


# All internal traffic is masqueraded externally. 











iptables -A POSTROUTING -t nat -o SEXTERNAL_INTERFACE —j MASQUERADE 



































Where EXTERNAL_INTERFACE="eth0" # You external interface to the Internet. 
Where INTRANET="_ 192.168.1.0/24" # whatever private range you use. 





























NOTE: See chapter related to “Networking Firewall with Masquerading and Forwarding support” 
for more information. 





Now, you can reboot your system, and the machines on Gateway A should be able to talk to the 
machines on Gateway B with no problems. 


Testing the FreeS/WAN installation 


e Reboot the both gateways to get FreeS/WAN started. 


e Examine the /var/log/messages file for any signs of trouble. If all goes well you 
should see something like this in the /var/log/messages file: 


Feb 2 05:22:35 deep ipsec_setup: Starting FreeS/WAN IPSEC 
snap2000jan31b... 
Feb 2 05:22:35 deep ipsec_setup: KLIPS debug ‘none! 

Feb 2 05:22:35 deep ipsec_setup: KLIPS ipsecO on eth0 
192.168.1.1/255.255.255.0 broadcast 192.168.1.255 

Feb 2 05:22:36 deep ipsec_setup: Disabling core dumps: 

Feb 2 05:22:36 deep ipsec_setup: Starting Pluto (debug “none'): 

Feb 2 05:22:37 deep ipsec_setup: Loading Pluto database ‘deep-mail': 
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expecting MR2 


expecting MR3 





Feb 2 05:22:37 deep ipsec_setup: 
Feb 2 05:22:37 deep ipsec_setup: 
Feb 2 05:22:37 deep ipsec_setup: 
Feb 2 05:22:39 deep ipsec_setup: 
initiate 

Feb 2 05:22:39 deep ipsec_setup: 
STATE_MAIN_I1; sent MI2, 

Feb 2 05:22:39 deep ipsec_setup: 
STATE_MAIN_1I2; sent MI3, 

Feb 2 05:22:39 deep ipsec_setup: 
established 

Feb 2 05:22:39 deep ipsec_setup: 
initiate 

Feb 2 05:22:39 deep ipsec_setup: 
established 

Feb 2 05:22:39 deep ipsec_setup: 








Routing for P 
Initiating Pl 
102 "deep-mai 


104 "deep-mai 


106 "deep-mai 





004 "deep-mai 
110 "deep-mai 
004 "deep-mai 
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Enabling Pluto negotiation: 


luto conns *‘deep-mail': 
uto tunnel ~deep-mail': 

1" #1: STATE_MAIN_I1: 

1" #1: STATE_MAIN_I2: from 
1" #1: STATE_MAIN_1I3: from 
1" #1: STATE_MAIN_I4: SA 
1" #2: STATE_QUICK_I1: 

1" #2: STATE_QUICK_I2: SA 








...FreeS/WAN IPSEC started 


Examine the /var/log/secure file for any signs of trouble. If all goes well you should 
see something like the following: 














Feb 21 14:45:42 deep Pluto[432 
Feb 21 14:45:43 deep Pluto[432 
Feb 21 14:45:43 deep Pluto[432 
Feb 21 14:45:43 deep Pluto[432 
Feb 21 14:45:43 deep Pluto[432 
"/etc/ipsec.secrets" 

Feb 21 14:45:43 deep Pluto[432 
Feb 21 14:45:44 deep Pluto[432 
Feb 21 14:45:44 deep Pluto[432]: 
POLICY_RSASTIG+POLICY_ENCRYPT+POLI 
Feb 21 14:45:46 deep Pluto[432 
established 

Feb 21 14:45:47 deep Pluto[432 
Feb 21 14:45:49 deep Pluto[432 
established 

Feb 21 14:45:49 deep Pluto[432 
Feb 21 14:45:50 deep Pluto[432 

















Starting Pluto 


listening for 


(FreeS/WAN Version 1.3) 
added connection description "deep-mail" 


IKE 





messages 





adding interfa 


c 

















ipsecO/ethO 192.168.1.1 


loading secrets from 

"deep-mail" #1: initiating Main Mode 
"deep-mail" #1: ISAKMP SA established 
"deep-mail" #2: initiating Quick Mode 
CY_AUTHENTICATE+POLICY_TUNNEL+POLICY_PFS 
"deep-mail" #2: sent QI2, IPsec SA 
"deep-mail" #3: responding to Main Mode 
"deep-mail" #3: sent MR3, ISAKMP SA 
"deep-mail" #4: responding to Quick Mode 
"deep-mail" #4: IPsec SA established 














On both gateways, the following entries should now exist in the /proc/net/ directory: 


[root@deep /] 


cs Scat Cache Oram 
hai ES 
SS Cesta) ipecicags| Ctcers 
= Sr 
ber Sie gs od 
co tet Ae Card 
as Ca at icc Oars 











ls -1 /proc/net/ipsec 


root 
root 
root 
root 
root 
root 
root 


root 
root 
root 
root 
root 
root 
root 


0 Feb 2 05:30 
0 Feb 2 05:30 
0 Feb 2 05:30 
0 Feb 2 05:30 
0 Feb 2 05:30 
0 Feb 2 05:30 
0 Feb 2 05:30 


* 





/proc/net/ipsec_erout 
/proc/net/ipsec_klipsdebug 
/proc/net/ipsec_spi 
/proc/net/ipsec_spigrp 





/proc/net/ipsec_spinew 
/proc/net/ipsec_tncfg 
/proc/net/ipsec_version 


The IPSEC interfaces should be attached on top of the specified physical interfaces. 
Confirm that with: 








[root@deep /] 

ipsecO —> eth0d 
ipsecl -—> NULL 
ipsec2 -> NULL 
ipsec3 -—> NULL 








cat /proc/net/ipsec_tncfg 
mtu=16260 -> 1500 


mtu=0 —-> 
mtu=0 -> 
mtu=0 —> 


0 
0 
0 
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Now execute the following command to show minimal debugging information and see if 


the output looks something like this: 
[root@deep /]# ipsec look 
deep.openna.com Fri Feb 4 17:25:17 EST 2000 














192.168.1.1/32 -> 192.168.1.2/32 => tun0x106@192.168.1.2 
esp0x4450894d@192.168.1.2 ah0x4450894c@192.168.1.2 








ah0Ox3350£551@192.168.1.1 AH_HMAC_MD5: dir=in ooowin=32 seq=115 
bit=Oxffffffff alen=128 aklen=16 life(c,s,h)=bytes(16140,0,0)add 
51656,0,0)use(54068,0,0) packets (115,0,0) idle=499 
ah0x4450894c@192.168.1.2 AH_HMAC_MD5: dir=out ooowin=32 seq=2828 alen=128 
aklen=16 life(c,s,h)=bytes (449488,0,0)add(51656,0,0)use(51656,0,0) packets 
2828,0,0) idle=6 
esp0x3350f552@192.168.1.1 ESP_3DES: dir=in ooowin=32 seq=115 
bit=Oxffffffff eklen=24 life(c,s,h)=bytes (13380,0,0)add(51656,0,0)use 
54068,0,0)packets(115,0,0) idle=499 

esp0x4450894d@192.168.1.2 ESP_3DES: dir=out ooowin=32 seq=2828 eklen=24 
life(c,s,h)=bytes (381616,0,0) add(51656,0,0)use(51656,0,0) packets 
2828,0,0) idle=6 

tun0x105@192.168.1.1 IPIP: dir=in 192.168.1.2 -> 192.168.1.1 life 
c,s,h)=add (51656, 0,0) 

tun0x106@192.168.1.2 IPIP: dir=out 192.168.1.1 -> 192.168.1.2 life 
c,s,h)=bytes (327581,0,0)add(51656, 0,0) use (51656, 0,0) packets (2828,0, 0) 
idle=6 
































192.168.1.0 0.0000 255.255.2550 U 0 0 0 etho 
192.168.1.0 0.0.0.0 255.255.2550 U 0 0 0 ipsecO 
192.168.1.1 0.0.0.0 255.255.255.255 UH 0 0 0 ethd 

192.768 .1..2 192.168.1.2 255.255.255.255 UGH 0 0 0 ipsecd 
Destination Gateway Genmask Flags MSS Window irtt Iface 


Try pinging 192.168.1.2 from the 192.168.1.1 client. If this works then you have set 
it up correctly. If it does not work check your network to make sure 208.164.186.1 can 
reach 208.164.186.2, and that TCP-IP forwarding is enabled, and make sure that no 
firewall rules are blocking the packets, or trying to masquerade them before the rules 
allowing IPSec related traffic. For this test to work, it is important to use pings that go 
from one subnet to the other. 


208.164.186.1 ---- 205.151.222.250 ---- 205.151.222.251 ---- 208.164.186.2 
| | 
192.168.1.0/24 192.168.1.0/24 


| | 
192.168.1.1 192.168.1.2 


A last note about testing the installation of FreeSWAN IPSEC, if you encounter a problem that 
you are unable to resolve, you can use the following command to view a collection of debugging 


information (contents of files, selections from logs, etc.) related to the IPSEC 








encryption/authentication system that you should send to the Linux-IPSEC Mailing List (linux- 


ipsec 


clinet.fi) to help you. 


Use the following command to make an output of a collection of debugging information: 
[root@deep /]# ipsec barf > result 


This command is primarily provided as a convenience for remote debugging; A single command 
which packages up (and labels) all information that might be relevant to diagnosing a problem in 


IPS] 





EC. 
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For more details, there are several man pages you can read: 


$ man ipsec (8) 

$ man ipsec atoaddr, addrtoa (3) 
$ man ipsec atoasr (3) 

$ man ipsec atobytes, bytestoa (3) 
$ man ipsec atodata, datatoa (3) 
$ man ipsec atosa, satoa (3) 

$ man ipsec atosubnet, subnettoa (3) 
$ man ipsec atoul, ultoa (3) 

$ man ipsec auto (8) 

$ man ipsec barf (8) 

$ man ipsec bitstomask (3) 

$ man ipsec eroute (8) 

$ man ipsec goodmask (3) 

$ man ipsec hostof (3) 

$ man ipsec klipsdebug (8) 

$ man ipsec look (8) 

$ man ipsec manual (8) 

$ man ipsec masktobits (3) 

$ man ipsec optionsfrom (3) 

$ man ipsec pluto (8) 

$ man ipsec ranbits (8) 

$ man ipsec rangetoa (3) 

$ man ipsec rsasigkey (8) 

$ man ipsec setup (8) 

$ man ipsec spi (8) 

$ man ipsec spigrp (8) 

$ man ipsec subnetof (3) 

$ man ipsec tncfg (8) 

$ man ipsec whack (8) 

$ man ipsec.conf (5) 

$ man ipsec.secrets (5) 

$ man ipsec (8) 

$ man ipsec atoaddr, addrtoa (3) 
$ man ipsec atoasr (3) 

$ man ipsec atobytes, bytestoa (3) 
$ man ipsec atodata, datatoa (3) 
$ man ipsec atosa, satoa (3) 

$ man ipsec atosubnet, subnettoa (3) 
$ man ipsec atoul, ultoa (3) 

$ man ipsec auto (8) 

$ man ipsec barf (8) 

$ man ipsec bitstomask (3) 

$ man ipsec eroute (8) 

$ man ipsec goodmask (3) 

$ man ipsec hostof (3) 

$ man ipsec klipsdebug (8) 

$ man ipsec look (8) 

$ man ipsec manual (8) 

$ man ipsec masktobits (3) 

$ man ipsec optionsfrom (3) 

$ man ipsec pluto (8) 

$ man ipsec ranbits (8) 

$ man ipsec rangetoa (3) 

$ man ipsec rsasigkey (8) 

$ man ipsec setup (8) 

$ man ipsec spi (8) 

$ man ipsec spigrp (8) 

$ man ipsec subnetof (3) 

$ man ipsec tncfg (8) 

$ man ipsec whack (8) 

$ man ipsec.conf (5) 

$ man ipsec.secrets (5) 


- invoke IPSEC utilities 

- convert Internet addresses to and from ASCII 

- convert ASCII to Internet address, subnet, or range 

- convert binary data bytes from and to ASCII formats 

- convert binary data from and to ASCII formats 

- convert IPSEC Security Association IDs to and from ASCII 
- convert subnet/mask ASCII form to and from addresses 
- convert unsigned-long numbers to and from ASCII 

- control automatically-keyed IPSEC connections 

- spew out collected IPSEC debugging information 

- convert bit count to Internet subnet mask 

- manipulate IPSEC extended routing tables 

- is this Internet subnet mask a valid one? 

- given Internet address and subnet mask, return host part 
- set Klips (kernel IPSEC support) debug features and level 
- show minimal debugging information 

- take manually-keyed IPSEC connections up and down 

- convert Internet subnet mask to bit count 

- read additional “command-line” options from file 

- IPsec IKE keying daemon 

- generate random bits in ASCII form 

- convert Internet address range to ASCII 

- generate RSA signature key 

- control IPSEC subsystem 

- manage IPSEC Security Associations 

- group/ungroup IPSEC Security Associations 

- given Internet address and subnet mask, return subnet number 
- associate IPSEC virtual interface with real interface 

- control interface for IPSEC keying daemon 

- IPSEC configuration and connections 

- secrets for IKE/IPsec authentication 

- invoke IPSEC utilities 

- convert Internet addresses to and from ASCII 

- convert ASCII to Internet address, subnet, or range 

- convert binary data bytes from and to ASCII formats 

- convert binary data from and to ASCII formats 

- convert IPSEC Security Association IDs to and from ASCII 
- convert subnet/mask ASCII form to and from addresses 
- convert unsigned-long numbers to and from ASCII 

- control automatically-keyed IPSEC connections 

- spew out collected IPSEC debugging information 

- convert bit count to Internet subnet mask 

- manipulate IPSEC extended routing tables 

- is this Internet subnet mask a valid one? 

- given Internet address and subnet mask, return host part 
- set Klips (kernel IPSEC support) debug features and level 
- show minimal debugging information 

- take manually-keyed IPSEC connections up and down 

- convert Internet subnet mask to bit count 

- read additional “command-line” options from file 

- IPsec IKE keying daemon 

- generate random bits in ASCII form 

- convert Internet address range to ASCII 

- generate RSA signature key 

- control IPSEC subsystem 

- manage IPSEC Security Associations 

- group/ungroup IPSEC Security Associations 

- given Internet address and subnet mask, return subnet number 
- associate IPSEC virtual interface with real interface 

- control interface for IPSEC keying daemon 

- IPSEC configuration and connections 

- secrets for IKE/IPsec authentication 
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List of installed FreeS/WAN files on your system 


> /etc/rc.d/init.d/ipsec 

> /etc/rc.d/rc0.d/K68ipsec 

> /etc/rc.d/rc1.d/K68ipsec 

> /etc/rc.d/rc2.d/S47ipsec 

> /etc/rc.d/rc3.d/S47ipsec 

> /etc/rc.d/rc4.d/S47ipsec 

> /etc/rc.d/rc5.d/S47ipsec 

> /etc/rc.d/rc6.d/K68ipsec 

> /etc/ipsec.conf 

> /etc/ipsec.secrets 

> /usr/lib/ipsec 

> /usr/lib/ipsec/spi 

> /usr/lib/ipsec/eroute 

> /usr/lib/ipsec/spigrp 

> /usr/lib/ipsec/tncfg 

> /usr/lib/ipsec/klipsdebug 

> /usr/lib/ipsec/pluto 

> /usr/lib/ipsec/whack 

> /usr/lib/ipsec/ipsec 

> /usr/lib/ipsec/barf 

> /usr/lib/ipsec/manual 

> /usr/lib/ipsec/auto 

> /usr/lib/ipsec/look 

> /usr/lib/ipsec/showdefaults 

> /usr/lib/ipsec/_include 

> /usr/lib/ipsec/_confread 

> /usr/lib/ipsec/_keycensor 

> /usr/lib/ipsec/_secretcensor 

> /usr/lib/ipsec/_updown 

> /usr/lib/ipsec/ranbits 

> /usr/lib/ipsec/rsasigkey 

> /usr/lib/ipsec/setup 

> /usr/man/man3/ipsec_atoaddr.3 
> /usr/man/man3/ipsec_addrtoa.3 
> /usr/man/man3/ipsec_atosubnet.3 
> /usr/man/man3/ipsec_subnettoa.3 


> /usr/man/man3/ipsec_atoasr.3 

> /usr/man/man3/ipsec_rangetoa.3 

> /usr/man/man3/ipsec_atodata.3 

> /usr/man/man3/ipsec_atobytes.3 

> /usr/man/man3/ipsec_bytestoa.3 

> /usr/man/man3/ipsec_datatoa.3 

> /usr/man/man3/ipsec_atosa.3 

> /usr/man/man3/ipsec_satoa.3 

> /usr/man/man3/ipsec_atoul.3 

> /usr/man/man3/ipsec_ultoa.3 

> /usr/man/man3/ipsec_goodmask.3 
> /usr/man/man3/ipsec_masktobits.3 
> /usr/man/man3/ipsec_bitstomask.3 
> /usr/man/man3/ipsec_optionsfrom.3 
> /usr/man/man3/ipsec_subnetof.3 

> /usr/man/man3/ipsec_hostof.3 

> /usr/man/man3/ipsec_broadcastof.3 
> /usr/man/man5/ipsec.secrets.5 

> /usr/man/man5/ipsec.conf.5 

> /ust/man/man8/ipsec_spi.8 

> /usr/man/man8/ipsec.8 

> /usr/man/man8/ipsec_eroute.8 

> /usr/man/man8/ipsec_spigrp.8 

> /usr/man/man8/ipsec_tncfg.8 

> /usr/man/man8/ipsec_klipsdebug.8 
> /usr/man/man8/ipsec_pluto.8 

> /usr/man/man8/ipsec_whack.8 

> /usr/man/man8/ipsec_barf.8 

> /usr/man/man8/ipsec_look.8 

> /usr/man/man8/ipsec_manual.8 

> /usr/man/man8/ipsec_auto.8 

> /usr/man/man8/ipsec_setup.8 

> /usr/man/man8/ipsec_ranbits.8 

> /usr/man/man8/ipsec_rsasigkey.8 
> /usr/sbin/ipsec 
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Part XIl Other Server Related Reference 
In this Part 


Other Server - Wu-ftpd FTP Server 
Other Server - Apache Web Server 
Other Server - Samba File Sharing Server 


This part of the book will exclusively deal with three important programs in the Unix world. These 
programs are the most used on server environment and run since many years ago on the 
Internet. Most of us usually use one of them every time to surf on the Internet, transfer file 
between computers on the Internet or internally via LAN in the enterprises. 
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28 Other Server - Wu-ftpd FTP Server 
In this Chapter 


Recommended RPM packages to be installed for a FTP Server 
Compiling - Optimizing & Installing Wu-ftpd 

Running Wu-ftpd in a chroot jail 

Configuring Wu-ftpd 

Securing Wu-ftpd 

Setup an Anonymous FTP server 

Wu-ftpd Administrative Tools 
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Linux Wu-ftpd FTP Server 


Abstract 

Despite its age, using the File Transfer Protocol (FTP) is one of the most popular way to transfer 
files from machine to machine across a network. Clients and servers have been written for each 
of the popular platforms on the market, thereby making FTP the most convenient way to perform 
file transfers. 


Many different ways exist to configure your FTP servers. One is as a private user-only site, which 
is the default configuration for an FTP server; a private FTP server allows users on the Linux 
system only to be able to connect via FTP and access their files. 


Other kinds exist, like the anonymous FTP server. An anonymous FTP server allows anyone 
on the network to connect to it and transfer files without having an account. Due to the potential 
security risk involved with this setup, precautions should be taken to allow access only to certain 
directories on the system. 


The configuration we will cover here is an FTP server that allows FTP to semi-secure areas of a 
Unix file system (chroot’d Guest FTP access). This configuration allows users to have access to 
the FTP server directories without allowing them to get into higher levels. This is the most secure 
setup for an FTP server and it is a useful way for remote clients to maintain their Web accounts. 


The steps | describe in this chapter allow you to setup any of the three types of FTP server 
available. At the end of this tutorial you'll find a section about anonymous FTP configuration. 


675 


Wu-ftpd |} 2 
CHAPTER |8 








Recommended RPM packages to be installed for a FTP Server 


A minimal configuration provides the basic set of packages required by the Linux operating 
system. Minimal configuration is a perfect starting point for building secure operating system. 
Below is the list of all recommended RPM packages required to run properly your Linux server as 


a FTP Server (FTP) running on wu-ftpd software. 


This configuration assumes that your kernel is a monolithic kernel. Also | suppose that you will 
install wu-ftpd by RPM package. Therefore, wu—ftpd RPM package is already included in the 
list below as you can see. All security tools are not installed, it is yours to install them as your 
need by RPM packages too since compilers packages are not installed and included in the list. 


basesystem 


passwd 
SysVinit 


bash 

file 
libstdc++ 
popt 

tar 


bdflush 
filesystem 
libtermcap 
procps 
termcap 


bind 
fileutils 
lilo 
psmisc 
textutils 


bzip2 
findutils 
logrotate 
pwdb 
tmpwatch 


chkconfig 
gawk 
losetup 
quota 
utempter 


console-tools 
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gdbm 
MAKEDEV 
qmail 
util-linux 


cpio 
gettext 
man 
readline 
vim-—common 


cracklib 
glib 
mingetty 
rootfiles 
vim-minimal 


cracklib-dicts 
glibc 

mktemp 

rpm 
vixie-cron 


crontabs 
glibc-common 
mount 

sed 

words 


dbl 
grep 
ncurses 
setup 
which 


db2 

grofft 
net-tools 
sh-utils 
wu-ftpd 


db3 

gzip 

newt 
shadow-utils 
zlib 


dev 
info 
openssh 
slang 


devfsd 
initscripts 
openssh-server 
slocate 


arifuLils 
iptables 
openssl 
sysklogd 


e2fsprogs 
kernel 
pam 
syslinux 
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Tested and fully functional on OpenNA.com. 
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These installation instructions assume 

Commands are Unix-compatible. 

The source path is /var/tmp (note that other paths are possible, as personal discretion). 
Installations were tested on Red Hat 7.1. 

All steps in the installation will happen using the super-user account “root”. 

Whether kernel recompilation may be required: No 

Latest Wu-ftpd version number is 2.6.1 


Packages 
The following are based on information as listed by Wu-ftpd as of 2001/03/16. Please regularly 
check at www.wu-ftpd.org for the latest status. 


Source code is available from: 

Wu-ftpd Homepage: http://www. wu-ftpd.org/ 

Wu-ftpd FTP Site: 205.133.13.68 

You must be sure to download: wu-ftpd-2.6.1.tar.gz 


Pristine source 

If you don’t use the RPM package to install this program, it will be difficult for you to locate all 
installed files into the system in the eventuality of an updated in the future. To solve the problem, 
it is a good idea to make a list of files on the system before you install Wu-ftpd, and one 
afterwards, and then compare them using the diff utility of Linux to find out what files are 
placed where. 


e Simply run the following command before installing the software: 
root@deep /root find /* > Wu-ftpdl 


e And the following one after you install the software: 
root@deep /root find /* > Wu-ftpd2 


e Then use the following command to get a list of what changed: 
root@deep /root diff Wu-ftpdl Wu-ftpd2 > Wu-ftpd-Installed 

















With this procedure, if any upgrade appears, all you have to do is to read the generated list of 
what files were added or changed by the program and remove them manually from your system 
before installing the new software. Related to our example above, we use the /root directory of 
the system to stock all generated list files. 


Compiling - Optimizing & Installing Wu-ftpd 
Below are the required steps that you must make to configure, compile and optimize the Wwu- 


ftpd software before installing it into your Linux system. First off, we install the program as user 
‘root’ so as to avoid authorization problems. 


Step 1 
Once you get the program from the main software site you must copy it to the /var/tmp 
directory and change to this location before expanding the archive. 


e These procedures can be accomplished with the following commands: 
[root@deep /]# cp wu-ftpd-version.tar.gz /var/tmp/ 
[root@deep /]# cd /var/tmp/ 

[root@deep tmp]# tar xzpf wu-ftpd-version.tar.gz 
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Step 2 
After that, move into the newly created Wu—ftpd directory. 


e To move into the newly created Wu-ftpd directory use the following command: 
[root@deep tmp]# cd wu-ftpd-2.6.1/ 


Step 3 

Now it is time to configure the software for our system in the most secure and optimized manner 
available. As you will be notified in many documentation files into the Wu-ftpd source directory, 
beginning with version 2.6.0 of Wu-ftpd, the WUN-FTPD Development Group is moving the build 
process to use GNU Autoconf. 


At this time and because for many platforms, the autoconf build is experimental, | recommend 
to try first ./configure and if that fails try the old method . /build. 


e Toconfigure Wu-ftpd with recommended securities and speed, use the compile lines: 
CFLAGS="-03 -march=i686 -mcpu=i686 —-funroll-loops -fomit-frame-pointer" \ 
./configure \ 

--prefix=/usr \ 
--sysconfdir=/etc \ 
--localstatedir=/var \ 
--mandir=/usr/share/man \ 
--enable-quota \ 
--enable-ratios \ 
--disable-rfc931 \ 
--disable-logtoomany \ 
--disable-plsm 


This tells Wu—ftpd to set itself up for this particular configuration setup with: 


- | Add QUOTA mechanisms support (if your OS supports it in the kernel). 

- Compile in support for upload-download ratios. 

- Do not do RFC931 lookups to be faster. 

- Do not log failed attempts (for busy servers to prevent to fill up the log file and put high 
load on syslog). 

- Disable PID lock sleep messages causing the daemon to sleep (for busy sites only). 








WARNING: Pay special attention to the compile CFLAGS line above. We optimize Wu-ftpd for an 
i686 CPU architecture with the parameter “-march=i686 and —-mcpu=i686”. Please don’t forget 
to adjust this CFLAGS line to reflect your own system. 





681 





Wu-ftpd | 2 
CHAPTER |8 


Step 4 

Now, we must make a list of files on the system before you install the software, and one 
afterwards, then compare them using the diff utility to find out what files are placed where and 
finally install Wu-£tpd in the server: 


pd-2.6.1 make 

pd-2.6.1 cd 

]# find /* > Wu-ftpdl 

]# cd /var/tmp/wu-ftpd-2.6.1/ 


root@deep wu-f 
root@deep wu-f 
root@deep /roo 
root@deep /roo 


Gt Ch oGr oer ach «ct er oct 




















root@deep wu-ftpd-2.6.1 make install 

root@deep wu-ftpd-2.6.1 install -m100 util/xferstats /usr/sbin/ 
root@deep wu-ftpd-2.6.1 touch /var/log/xferlog 

root@deep wu-ftpd-2.6.1 chmod 600 /var/log/xferlog 

root@deep wu-ftpd-2.6 ced /usr/sbin/ 


root@deep sbin]# 1n -sf in.ftpd wu.ftp 

root@deep sbin]# ln -sf in.ftpd in.wuftp 

root@deep sbin]# cd 

root@deep /root]# find /* > Wu-ftpd2 

root@deep /root]# diff Wu-ftpdl Wu-ftpd2 > Wu-ftpd-Installed 





The install -mcommand will install the binary xferstats used to see static information 
about transferred files, and the touch command will create the log file for xferstats under 
/var/1log directory in the system. The chmod will change the mode of xferlog file to be 
readable and writable only by the owner. 


Step 5 
After that, we will change some default properties of Wu-ftpd binaries to be more restritive and 
more secure. 











root@deep / chmod 100 /usr/bin/ftpcount 
root@deep / chmod 100 /usr/bin/ftpwho 
root@deep / chmod 100 /usr/sbin/ftprestart 
root@deep / chmod 100 /usr/sbin/ftpshut 
root@deep / chmod 100 /usr/sbin/privatepw 
root@deep / chmod 110 /usr/sbin/in.ftpd 
root@deep / chown bin.bin /usr/bin/ftpcount 
root@deep / chown bin.bin /usr/bin/ftpwho 
root@deep / chown bin.bin /usr/sbin/ftprestart 
root@deep / chown bin.bin /usr/sbin/ftpshut 
root@deep / chown bin.bin /usr/sbin/privatepw 
root@deep / chown bin.bin /usr/sbin/in.ftpd 
root@deep / chown bin.bin /usr/sbin/wu.ftp 
root@deep / chown bin.bin /usr/sbin/in.wuftp 
root@deep / chown bin.bin /var/log/xferlog 





Step 6 

Once compilation, optimization and installation of the software have been finished, we can free up 
some disk space by deleting the program tar archive and the related source directory since they 
are no longer needed. 


e To delete Wu-ftpd and its related source directory, use the following commands: 
[root@deep /]# cd /var/tmp/ 
[root@deep tmp]# rm -rf wu-ftpd-version/ 
[root@deep tmp]# rm -f wu-ftpd-version.tar.gz 
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The rm command as used above will remove all the source files we have used to compile and 
install Wu-ftpd. It will also remove the Wu-ftpd compressed archive from the /var/tmp 
directory. 


Running Wu-ftpd in a chroot jail 

This part focuses on preventing Wu-ftpd from being used as a point of break-in to the system 
hosting it. The potential for bugs that affect security is rather high with this software therefore an 
additional step can be taken - that is, running Wu-£tpd in a chroot jail. 


The main benefit of a chroot jail is that the jail will limit the portion of the file system the daemon 
can see to the root directory of the jail. Additionally, since the jail only needs to support Wu-ftpd, 
the programs available in the jail can be extremely limited. 


Most importantly, there is no need for setuid-root programs, which can be used to gain root 


access and break out of the jail. By running Wu-ftpd in a chroot jail you can improve the security 
significantly in a Unix environment. 
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Wu-ftpd in chroot jail 







Our chroot jail that host the private FTP Server. 





Our chroot jail that host the anonymous FTP Server. 


Our file system on Linux 


This is our chroot jail bubble, which handle a small co} our 
Linux file system structure for anonymous and private FTP Server. 
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Necessary steps to run Wu-ftpd in a chroot jail: 
What you're essentially doing is creating a skeleton root file system with enough components 
necessary (binaries, libraries, etc.) to allow Unix to do a chroot when the user logs in. 


Step 1 

It’s important to give to your strictly FTP users no real shell account on the Linux system. In this 
manner, if for any reasons someone could successfully get out of the FTP chrooted environment, 
it would not have the possibility of using a shell to gain access via other protocols like telnel, 
ssh, etc. 


First, create new users for this purpose; these users will be the users allowed to connect to your 
FTP server. This has to be separate from a regular user account with unlimited access because 
of how the "chroot" environment works. Chroot makes it appear from the user's perspective as if 
the level of the file system you've placed them in is the top level of the file system. 


e Use the following command to create users in the /etc/passwad file. This step must be 
done for each additional new user you allow to access your FTP server. 


[root@deep /]# useradd -d /home/httpd/gmourani -s /bin/false gmourani 
2>/dev/null || 


[root@deep /]# passwd gmourani 

Changing password for user gmourani 

New UNIX password: 

Retype new UNIX password: 

passwd: all authentication tokens updated successfully 


The useradd command will add the new guest user named gmourani to our Linux server and 
will set its home directory to be located under /home/httpd/gmourani directory since itis a 
useful location for remote clients to maintain their Web accounts. Finally, the passwd command 
will set the password for this user gmourani. 


Step 2 
Now, edit the shells file (vi /etc/shells) and add a non-existent shell name like 
“/bin/ false’, which is the one we used in the passwd command above. 


[root@deep /]# vi /etc/shells 
/bin/bash2 

/bin/bash 

/bin/sh 

/bin/ false € This is our added no-existent shell 


Step 3 
Then, create all the necessary chrooted environment directories as shown below: 


[root@deep /]# mkdir /home/httpd/bin 
[root@deep /]# mkdir /home/httpd/dev 
[root@deep /]# mkdir /home/httpd/lib 
[root@deep /]# mkdir /home/httpd/usr 
[root@deep /]# mkdir /home/httpd/usr/bin 
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Step 4 
After that, we must change the mode permission on the chroot glue directories to mode 
(0111/d--x--—x-—x) for security reasons: 


[root@deep /]# chmod 0111 /home/httpd/bin/ 
[root@deep /]# chmod 0111 /home/httpd/dev/ 
[root@deep /]# chmod 0111 /home/httpd/1lib/ 
[root@deep /]# chmod 0111 /home/httpd/usr/ 
[root@deep /]# chmod 0111 /home/httpd/usr/bin/ 


Step 5 

Once all permission modes of the supporting glues have been changed, it is time to copy the 
require binaries programs to the related directories in the chroot area for Wu-ftpd to work. 
Those programs are necessary to allow guest users to chmod, 1s, tar, compress, and 
rename files on the FTP chroot jail server. If there are features you don’t want any users to be 
able to use, then don’t copy them to the chroot area. 




















root@deep / cp /bin/1ls /home/httpd/bin/ 
root@deep / cp /bin/tar /home/httpd/bin/ 
root@deep / cp /bin/chmod /home/httpd/bin/ 
root@deep / cp /bin/cpio /home/httpd/bin/ 
root@deep / cp /bin/gzip /home/httpd/bin/ 
root@deep / cp /usr/bin/rename /home/httpd/usr/bin/ 
root@deep / chmod 0111 /home/httpd/bin/* 
root@deep / chmod 0111 /home/httpd/usr/bin/* 
root@deep / cd /home/httpd/bin/ 
root@deep / ln -sf gzip zcat 
NOTE: The chmod commands above will change modes of those programs to be (0111 ---x-- 


x—x) because we don’t want users to be able to modify or read the binaries in the chroot area but 
just to execute them if necessary. 





Step 6 

The binaries we have copied to the chroot area have been compiled with shared libraries by 
default and for this reason it is important to find the shared libraries dependencies associated with 
them and copy them into the “1ib” directory in the chroot jail area that we have created hearly 
during our steps. 


As usually, to find the shared library dependencies of binaries, you have to use the 1dd 
command of Linux. Because we have installed the most important FTP features, you must copy 
all the libraries below to the /home/httpd/1ib directory of the chroot area. These libraries are 
part of Libc, and needed by various programs in bin. 





root@deep / cp /lib/libcrypt.so.1 /home/httpd/1lib/ 
root@deep / cp /1lib/libnsl.so.1 /home/httpd/lib/ 
root@deep / cp /lib/libresolv.so.2 /home/httpd/lib/ 
root@deep / cp /lib/libc.so.6 /home/httpd/lib/ 
root@deep / cp /lib/ld-linux.so.2 /home/httpd/1lib/ 
root@deep / cp /lib/libtermcap.so.2 /home/httpd/1lib/ 
root@deep / cp /1lib/libpthread.so.0 /home/httpd/1lib/ 
root@deep / cp /lib/librt.so.1 /home/httpd/1lib/ 
root@deep / strip -R .comment /home/httpd/1lib/* 
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WARNING: Depending of what you have compiled with the program the required shared libraries 
may be more or different then the one as illustrated above. Please use the ldd command on 
each binary under /bin directory to find out the ones you need and copy them to the /lib 
directory of the chroot area. 


The “strip -R .comment” command will remove all the named section “. comment” from the 
libraries files under the /1ib directory and will make them smaller in size and can help in 
performance of them. 





Step 7 
Finally, create the /home/httpd/dev/nu11 file and set its mode appropriately. 


[root@deep /]# mknod /home/httpd/dev/null c 1 3 
[root@deep /]# chmod 666 /home/httpd/dev/null 


Configuring Wu-ftpd 
After building Wu-—ftpd, and all the require chroot glues environment and users, your next step is 
to verify or change, if necessary options in your Wu-ftpd configuration files. Those files are: 


¥ /etc/ftpaccess (The Wu-ftpd Configuration File) 

¥ /etc/ftphosts (The Wu-ftpd Hosts Configuration File) 

¥ /etc/ftpconversion (The Wu-ftpd Compress Configuration File) 
¥ /etc/logrotate.d/ftpd (The Wu-ftpd Log Rotation File) 

¥ /etc/rce.d/init.d/ftpd (The Wu-ftpd Initialization File) 


/etc/ftpaccess: The Wu-ftpd Configuration File 

The /etc/ftpaccess file is the main configuration file used to configure the operation of the 
Wu-ftpd server. This file is the primary means of controlling what users, and how many users, 
can access your server, and other important points of the security configuration. 


Each line in the file either defines an attribute or sets its value. Whatever you want to configure an 
anonymous FTP, private or Guest FTP server, this is the file that you must understand and 
configure. We must change the default one to fit our requirements and operating system. The text 
in bold are the parts of the configuration file that must be customized and adjusted to satisfy our 
needs. 


Step 1 
e §6Edit the ftpaccess file (vi /etc/ftpaccess) and add the following lines: 
class openna guest 207.35.78.* 


email admin@openna.com 


limit openna 20 MoTuWeTh,Fr0000-1800 /.too_many.msg 
loginfails 3 


readme README* login 
readme README* cwd=* 
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message /welcome.msg login 
message .message cwd=* 
compress yes all 

tar yes all 

chmod no anonymous 
delete no anonymous 
overwrite no anonymous 
rename no anonymous 


log transfers anonymous, real,guest inbound, outbound 


# Specify which group of users will be treated as “guests”. 
guestuser * 


# We don't want users being able to upload into these areas. 
upload /home/httpd * no 
upload /home/httpd * /dev no 
upload /home/httpd * /bin no 
upload /home/httpd * /lib no 
upload /home/httpd * /usr no 
upload /home/httpd * /usr/bin no 


# Areas where upload clauses are allowed. 
upload /home/httpd /gmourani yes gmourani gmourani 0644 dirs 0755 
upload /home/httpd /gmourani/* yes gmourani gmourani 0644 dirs 0755 


# We'll prevent downloads with noretrieve. 
noretrieve /home/httpd/dev/ 

noretrieve /home/httpd/bin/ 

noretrieve /home/httpd/1lib/ 

noretrieve /home/httpd/usr/ 

noretrieve /home/httpd/usr/bin/ 

log security anonymous, real, guest 
guest-root /home/httpd gmourani 
restricted-uid gmourani 

restricted-gid gmourani 


deny-uid %-99 %65535- 
deby-gid %-99 %65535- 


greeting terse 
keepalive yes 


passwd-check rfc822 warn 


Step 2 
Now, change its default permission to be (0600 /-rw------- ). 


[root@deep /]# chmod 600 /etc/ftpaccess 


This tells £tpaccess file to set itself up for this particular configuration setup with: 
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class openna guest 207.35.78.* 

This option “class” specifies a class of users who can access the FTP server. You can define as 
many classes as you want in the ftpaccess file. In our example, we define the class name 
<openna>, and we allow only guest user <guest> with accounts on the FTP server to access 
their home directories via FTP if they are coming from the address 207.35.78.*. 


It’s important to note that three different kinds of users exist: anonymous, guest, and real. 
Anonymous users are anyone on the network who connect to the server and transfer files without 
having an account on it. Guest users are real users on the system for which their session is set 
up exactly as with anonymous FTP (this is the one we setup in our example), and Real users 
must have accounts and shells (this can pose a security risk) on the server to be able to access 
it. 


limit openna 20 MoTuWeTh,Fr0000-1800 /.too_many.msg 

This option “limit” specifies the number of users allowed to log in to the FTP server by class 
and time of day. In our example, we limit access to the FTP server for the class name <openna> 
to 20 users <20> from Monday through Thursday <MoTuWeTh>, all day, and Friday from midnight 
to 6:00 p.m <Fr0000-1800>. 


Also, if the limit of 20 users is reached, the content of the file </ .too_many.msg> is displayed to 
the connecting user. This can be a useful parameter when you need to control the resources of 
your server. Finally, it’s important for security reason that the message file /.too_many.msg 
should be in someplace safety outside the chroot area. 


loginfails 3 

This option “loginfails” specifies the number of failed login attempts connection clients can 
make before being disconnected. In our example we disconnect a user from the FTP server after 
three failed attempts. 








readme README* login 

readme README* cwd=* 

This option “readme” specifies to notify clients at login time, or upon using the change working 
directory command, that a certain file in their current directory was last modified. In our example, 
we set the name of the file to be relative to the FTP directory <README*>, and the condition 
under which to display the message to be either displayed upon a successful login <login> or 
displayed when a client enters the new default directory <cwd=*>. 





























message /welcome.msg login 

message .messag cwd=* 

This option “message” specifies to display special messages to the client when they either log in, 
or upon using the change working directory command. In our example, we indicate the location 
and the name of the files to be displayed <welcome.msg or .message>, and the condition 
under which to display the files to be either displayed upon a successful login <login>, or 
displayed when a client enters a new directory <cwd=*>. 








For the readme and message options above, remember that when you’re specifying a path for 
anonymous users, the path must be relative to the anonymous FTP directory. 
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compress yes all 
tar yes all 
chmod no anonymous 
delete no anonymous 
overwrite no anonymous 
rename no anonymous 


nt nt 


These options, “compress”, “tar”, “chmod”, “delete”, “overwrite”, and “rename”, specify the 
permissions that you want to give to your users for these commands. In our example, we do not 
give permission to the anonymous users <anonymous> tO chmod, delete, overwrite, and 
rename files, and allow everybody to use compress and tar commands <al11>. If you don't 
specify the following directives, they default to “yes” for everybody. This is a security feature. 








log transfers anonymous,real,guest inbound, outbound 

This option “log transfers” specifies to log all FTP transfers for security purposes. In our 
example, we log all anonymous, real and guest users transfers <anonymous, real, guest> 
that are both inbound and outbound <inbound, outbound> which specify the direction that 
the transfers must take in order to be logged. The resulting logs are stored in the 
/var/log/xferlog file. 


guestuser * 

This option “guestuser’” specifies all of your guest user names (or numeric ID) that are real 
users on the system, in which the session is set up exactly as with anonymous FTP. You can 
also use a wildcards (*) as a value to specify all guest user names in the system (as we do). If 
you prefer to add each user name, it’s important that any additional guestuser you may add 
appears one per line in the configuration file. 


Finally, it’s appearing that guest group isn’t the best way to make a user a guest. If you forget to 
explicitly add the user in /etc/group the user isn’t a guest and it’s for this reason that 
guestuser Is recommended instead of guest group parameter. This is a security feature. 


log security anonymous, real, guest 

This option “log security” specifies to enable logging of violations of security rules for 
anonymous, real, and guest FTP Clients. In our example, we specify to log violations for users 
using the FTP server to access anonymous accounts, real accounts, and for users using the 
FTP server to access guest accounts <anonymous, real, guest>. This is a security feature. 


guest-root /home/httpd gmourani 

restricted-uid gmourani 

restricted-gid gmourani 

These clauses “guest-root”, “restricted-uid’, and “restricted-gid” specify and 
control whether or not guest users will be allowed access to areas on the FTP server outside 
their home directories (this is an important security feature). In our example, we specified the 
chroot() path for user <gmourani> to be </home/httpd>, and that it cannot access other's files 
because it is restricted to his home directories <restricted-uid gmourani>, 


<restricted-gid gmourani>. 
Multiple UID ranges may be given on the line. If a guest-root is chosen for the user, the user's 


home directory in the /etc/passwd file is used to determine the initial directory, and their home 
directory, in the system-wide /etc/passwd, is not used. This is a security feature. 
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deny-uid %-99 %65535- 

deby-gid %-99 %65535- 

These clauses allow specification of UID and GID values, which will be denied access to the FTP 
server. To summarize it ensures no login from privileged accounts on a Linux machine and in 
many cases, this can eliminate the need for the /etc/ftpusers file. If you want to allow 
anonymous FTP, then add the following two: allow-uid ftpandallow-gid ftp. Thisisa 
security feature. 


greeting terse 

This option “greeting” specifies how much system information will be displayed before the 
remote user logs in. There are three parameters you can choose: <ful1> is the default and 
shows the hostname and daemon version of the server, <brief> which shows only the 
hostname, and <terse>, which will simply says "—TP server ready" to your terminal. This is 
a security feature. 


keepalive yes 

This option “keepalive’” specifies whether the system should send keep alive messages to the 
remote FTP server. If set to “yes”, then death of the connection or crash of remote machines will 
be properly noticed. 


/etc/ftphosts: The Wu-ftpd Hosts Configuration File 
This file is used to define whether users are allowed to log in from certain hosts or whether there 
are denied access. 


Step 1 


e Create the ftphosts file (touch /etc/ftphosts) and add for example in this file the 
following lines: 


Host access configuration file 


se SE OE 





Everything after a '#' is treated as comment, 
empty lines are ignored 

allow ftpadmin 207.35.78.1 207.35.78.2 207.35.78.4 
deny ftpadmin 207.35.78.5 


se 


In the above example, we allow the user <ftpadmin> to connect via FTP from the explicitly 
listed addresses <207.35.78.1 207.35.78.2 207.35.78.4>, and deny the specified 
<ftpadmin> user to connect from the site <207.35.78.5>. 
Step 2 

e Now, change its default permission to be (0600/-rw------- yi 


[root@deep /]# chmod 600 /etc/ftphosts 
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/etc/ftpconversions: The Wu-ftpd Compress Configuration File 
This file contains instructions that permit you to compress files on demand before the transfer. 


Step 1 


e Edit the £tpconversions file (vi /etc/ftpconversions) and add or verify in this 
file the following lines: 








sO" : :/bin/compress -d -c %s:T_REG|T_ASCII:O_UNCOMPRESS :UNCOMPRESS 
:.Z:/bin/compress -c %S:T_REG:O_COMPRESS:COMPRESS 
.gz: : :/bin/gzip -cd %s:T_REG|T_ASCII:O0_UNCOMPRESS:GUNZIP 
: :.gz:/bin/gzip -9 -c %8:T_REG:0_COMPRESS:GZIP 

:.tar:/bin/tar -c -f - %s:T_REG|T_DIR:O_TAR:TAR 
tt, Waregs/bin/tar--e-o2* -<£)-4 
: T_REG|T_DIR:O_COMPRESS |O_TAR: TAR+COMPRESS 















































oe 
We ee oe oe 
vs) 


to Sutargzs/bin/tar =e =z: =f) = 
: T_REG|T_DIR:O_COMPRESS |O_TAR: TAR+GZIP 
:.crce:/bin/cksum %s:T_REG: :CKSUM 
:.md5:/bin/md5sum %s:T_REG: :MD5SUM 





























oe 
* De 
vs) 














Step 2 


e Now, change its default permissions to be (0600/-rw------- yi 


[root@deep /]# chmod 600 /etc/ftpconversions 


/etc/logrotate.d/ftpd: The Wu-ftpd Log Rotation File 
Configure your /etc/logrotate.d/ftpd file to automatically rotate your log files each week. 


e Create the ftpd file (touch /etc/logrotate.d/ftpd) and add the following lines: 


/var/log/xferlog { 
# ftpd doesn't handle SIGHUP properly 
nocompress 


/etc/re.d/init.d/ftpd: The Wu-ftpd Initialization File 

The /etc/rc.d/init.d/ftpd script file is responsible to automatically start and stop the Wu- 
ftpd daemon on your server. Loading ft pd daemon, as a standalone daemon will eliminate 
load time as well as the ftpaccess file load time too and will even reduce swapping since non- 
library code will be shared. 


Step 1 
Create the ftpd script file (touch /etc/rce.d/init.d/ftpd) and add the following lines 
inside it: 


! /bin/sh 
ftpd This starts and stops ftpd. 
chkconfig: 345 50 50 


description: Wu-ftpd is one of the most widely \ 
used daemons on the Internet. \ 
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processname: /usr/sbin/in.ftpd 
config: /etc/sysconfig/network 
config: /etc/ftpaccess 
pidfile: /var/run/ftpd.pid 


PATH=/sbin:/bin:/usr/bin:/usr/sbin 


Source function library. 
/etc/init.d/functions 


Get config. 
test -f /etc/sysconfig/network && . /etc/sysconfig/network 


Check that networking is up. 
S{NETWORKING} = "yes" ] || exit 0 


-f /usr/sbin/in.ftpd ] || exit 1 
-f /etc/ftpaccess ] || exit 1 








RETVAL=0 





tart () { 
echo -n "Starting ftpd: " 
daemon in.ftpd -l -a -S 
RETVAL=$? 
echo 
touch /var/lock/subsys/ftpd 
return SRETVAL 


n 








} 


stop () { 
echo -n "Stopping ftpd: " 
killproc in.ftpd 
RETVAL=$? 
echo 
rm -f£ /var/lock/subsys/ftpd 
return SRETVAL 








} 


reload() { 
echo -n "Reloading ftpd: " 
killproc in.ftpd -USR2 
RETVAL=$? 
echo 
return SRETVAL 











restart () { 
stop 
stert 


} 


condrestart () { 
[ -e /var/lock/subsys/ftpd ] && restart 
return 0 


# S how we were called. 
case "S1" in 
start) 
start 
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stop) 
stop 
status) 
status in.ftpd 
a 
restart) 
restart 
reload) 
reload 
condrestart) 
condrestart 
‘) eF 
echo "Usage: ftpd {start|stop|status|restart|condrestart|reload}" 
RETVAL=1 





esac 


exit SRETVAL 





Step 2 

Once the ftpd script file has been created, it is important to make it executable, change its 
default permissions, create the necessary links and start it. Making this file executable will allow 
the system to run it, changing its default permission is to allow only the root user to change this 
file for security reason, and creation of the symbolic links will let the process control initialization 
of Linux which is in charge of starting all the normal and authorized processes that need to run at 
boot time on your system to start the program automatically for you at each reboot. 


e To make this script executable and to change its default permissions, use the commands: 
root@deep / chmod 700 /etc/rce.d/init.d/ftpd 
root@deep / chown 0.0 /etc/rce.d/init.d/ftpd 


e Tocreate the symbolic rc.d links for Wu-ftpd, use the following commands: 
root@deep / chkconfig --add ftpd 
root@deep / chkconfig --level 345 ftpd on 


e To start Wu-ftpd software manually, use the following command: 
root@deep / /etc/re.d/init.d/ftpd start 
Starting ftpd: [OK] 




















NOTE: All the configuration files required for each software described in this book has been 
provided by us as a gzipped file, floppy-—2.0.tgz for your convenience. This can be 
downloaded from this web address: ftp://ftp.openna.com/ConfigFiles-v2.0/floppy-2.0.tgz. You can 
unpack this to any location on your local machine, say for example /var/tmp, assuming you 
have done this your directory structure will be /var/tmp/ floppy. Within this floppy directory 
each configuration file has its own directory for respective software. You can either cut and paste 
this directly if you are faithfully following our instructions from the beginning or manually edit these 
to modify to your needs. This facility is there though as a convenience but please don't forget 
ultimately it will be your responsibility to check, verify, etc. before you use them whether modified 
or as itis. 
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Securing Wu-ftpd 

This section deals especially with actions we can make to improve and tighten security under Wu- 
ftpd. Note that we refer to the features available within the base installed program and not to 
any additional software. 


The upload command 

By default, the Wu-ftpd server will grant upload privileges to all users. The upload parameter 
allow remote clients to load and place files on the FTP server. For optimal security, we don't want 
users being able to upload into “/”, “/bin”, “/dev”, “/lib”, “/usr”, and “/usr/bin’”, directories 
inthe /home/httpd/ chrooted directory. 


In our /etc/ftpaccess file we have already chroot'd users to /home/httpd, and they cannot 
access any area of the file system outside that directory structure, but in case something happens 
to the permissions on them you should deny upload privileges in your /etc/ftpaccess file 
into these areas (/home/httpd, /home/httpd/bin, /home/httpd/dev, 
/home/httpd/lib, /home/httpd/usr, and /home/httpd/usr/bin) then allowing only 
what we want to: 


Step 1 
e §=6Edit the ftpaccess file (vi /etc/ftpaccess) and add the following lines to deny 
upload privileges into these areas. 


# We don't want users being able to upload into these areas. 


upload /home/httpd * no 
upload /home/httpd * /dev no 
upload /home/httpd * /bin no 
upload /home/httpd * /lib no 
upload /home/httpd * /usr no 
upload /home/httpd * /usr/bin no 


# Areas where upload clauses are allowed. 
upload /home/httpd /gmourani yes gmourani gmourani 0644 dirs 0755 
upload /home/httpd /gmourani/* yes gmourani gmourani 0644 dirs 0755 




















The above lines specify to deny upload feature into the “/”, ”/dev”, ”/bin’”, “/lib’, “/usr’”, and 
“/asr/bin’” directories of the chroot’d “/home/httpd’ directory structure. If you have other 
directories in the chroot area that you want to protect with the upload clause, then add them to 
the list. 


The last line in our example, allow uploads into the directory and one subdirectories of 
/gmourani area with permission files set to 644 and the creation of new directories with 
permission set to 755 for guest user and group named gmourani. 








WARNING: If you want to allow upload into more than one subdirectory of /gmourani area, then 
you will have to add a new lines for each additional allowed subdirectories. For example if | want 
to allow upload into /gmourani/folderl/folder2/folder3, | will add the following 
additional lines: 


# Areas where upload clauses are allowed. 

upload /home/httpd /gmourani yes gmourani gmourani 0644 dirs 0755 
upload /home/httpd /gmourani/* yes gmourani gmourani 0644 dirs 0755 
upload /home/httpd /gmourani/*/* yes gmourani gmourani 0644 dirs 0755 
upload /home/httpd /gmourani/*/*/* yes gmourani gmourani 0644 dirs 0755 
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Step 2 
Restart the Wu-ftpd server for the changes to take effect. 


e To restart Wu-ftpd, use the following command: 
[root@deep /]# /etc/re.d/init.d/ftpd restart 
Stopping ftpd: [OK] 

Starting ftpd: [OK] 


The special file .notar 
Whether you allow on-the-fly tarring of directories or not, you should make sure an end-run 
cannot be made using tar command in all areas where the upload parameter is not permit. 


Step 1 
To do so, create the special file .notar in each directory and in the FTP directory. Don’t use the 
touch command to create .notar. Use the echo, as in: 


[root@deep /]# echo “Tarring is denied” > /home/httpd/.notar 
[root@deep /]# echo “Tarring is denied” > /home/httpd/dev/.notar 
[root@deep /]# echo “Tarring is denied” > /home/httpd/bin/.notar 
[root@deep /]# echo “Tarring is denied” > /home/httpd/lib/.notar 
[root@deep /]# echo “Tarring is denied” > /home/httpd/usr/.notar 
[root@deep /]# echo “Tarring is denied” > /home/httpd/usr/bin/.notar 








WARNING: Don’t forget to add in this list any additional directories where the upload parameter is 
not allowed into the FTP area. Also don’t forget to create the .notar file inside it. 





Step 2 

It’s appear that using the “noretrieve .notar” paramater in the /etc/ftpaccess file breaks 
IE. Some mirrors will copy your .notar rather than detect and create, so you'll want it readable 
and retrievable. 


[root@deep /]# chmod 0444 /home/httpd/.notar 
[root@deep /]# chmod 0444 /home/httpd/dev/.notar 
[root@deep /]# chmod 0444 /home/httpd/bin/.notar 
[root@deep /]# chmod 0444 /home/httpd/lib/.notar 
[root@deep /]# chmod 0444 /home/httpd/usr/.notar 
[root@deep /]# chmod 0444 /home/httpd/usr/bin/.notar 


Step 3 
Restart the Wu-ftpd server for the changes to take effect. 


e To restart Wu-ftpd, use the following command: 
[root@deep /]# /etc/re.d/init.d/ftpd restart 
Stopping ftpd: [OK] 

Starting ftpd: [OK] 
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WARNING: It’s important to NOT add the “noretrieve .notar” parameter inside the 
/etc/ftpaccess file of Wu—ftpd or any .notar files will not be retrievable. 





The noretrieve command 

The noretrieve parameter of Wu-ftpd server allows you to deny transfer of the sectected 
directories or files. It is also a good idea to prevent downloads of those subdirectories (/dev, 
/bin, /lib, /usr, and /usr/bin) inthe /home/httpd directory with the command 
noretrieve in your /etc/ftpaccess file. 


Step 1 
e Edit the ftpaccess file (vi /etc/ftpaccess) and add the following lines to deny 
transfer into these areas. 


# We'll prevent downloads with noretrieve. 
noretrieve /home/httpd/dev/ 

noretrieve /home/httpd/bin/ 

noretrieve /home/httpd/lib/ 

noretrieve /home/httpd/usr/ 

noretrieve /home/httpd/usr/bin/ 


Step 2 
Restart the Wu-ftpd server for the changes to take effect. 


e To restart Wu-ftpd, use the following command: 
[root@deep /]# /etc/re.d/init.d/ftpd restart 
Stopping ftpd: [OK] 

Starting ftpd: [OK] 








NOTE: If you have others directories into the chroot area which you want to deny transfer of files 
inside them, you must add theses directories to the noretrieve Clause list above. 





Setup an Anonymous FTP server 

For administrators who want to setup an anonymous FTP server, all you have to do is just to add 
the FTP anonymous user into the /etc/passwd file and setup the appropriate, parameters and 
authorizations. Of course, don’t forget to add the new require directories of the anonymous 
server to the chroot’d jail. 


In our example we'll first give anonymous users only an access to get files from the FTP 
anonymous directory on the FTP server. Why? Because if we want to give them the possibility to 
be able to upload contents to the anonymous server area, we should create a special separate 
file system to receive their uploaded files or be prepared to some Denial of Service (DoS) attack 
into your system. 


If you want to allow upload into the FTP anonymous server area, then create a new file system 


like for example /home/ftp/incoming for this purpose and mount it. In this case, please refer 
to the indicated steps later. 
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Step 1 

First, we must add a new user to the /etc/passwad file for the anonymous FTP connection. Pay 
special attention to the UID number used for this user. That is, a user with UID lower than value 
of UID_MIN defined in the /etc/login.defs. 


The directory where we'll setup the anonymous users areas will be separate from the one we 
have created for the guest users areas. 


e Tocreate the anonymous FTP user, use the following command: 
[root@deep /]# useradd -c "FTP Anonymous Users" -u 95 -d /home/ftp -s 
/bin/false ftp 2>/dev/null || 








WARNING: Don’t create a password for this user, it’s an anonymous user, therefore every one 
should be able to log on with this account. 





Step 2 
Secondly, it’s important to change the owner of the /home/ftp directory to by someone like the 
bin user of the Linux system, but never the super-user root or the anonymous user. 


e To change the owner of the / ftp directory, use the following commands: 
[root@deep /]# chown bin /home/ftp/ 
[root@deep /]# chmod 755 /home/ftp/ 


The above command will change the owner of the /home/ftp directory to become the user 
named “bin”. It’s important to check and be sure that every added directories under the 
/home/ftp chroot’'d area are owns by user like “bin” but not “ftp” user. 


Without this verification, anonymous users will be able to delete, chmod, create directories, etc 
inside the chroot jail of the anonymous FTP server (very dangerous). 


Step 3 
After that it’s important to edit the /etc/ftpaccess file to inform the FTP server to allow the 
anonymous user named ftp which we have added to the password file to connect to the server. 


e =6Edit the ftpaccess file (vi /etc/ftpaccess) and add the following lines: 
allow-uid ftp 


allow-gid ftp 


Step 4 

Once the anonymous user has been added to the password file and allowed to connect, it’s time 
to create a new defined FTP users class line inside the /etc/ftpaccess file to allows 
anonymous access. 


e §6Edit the ftpaccess file (vi /etc/ftpaccess) and add the following line to allow 
anonymous FTP users from anywhere: 


class anonftp anonymous * 
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Step 5 
Now we need to create the chroot’d glues areas for the anonymous FTP users in the system. 


[root@deep /]# mkdir /home/ftp/bin 
[root@deep /]# mkdir /home/ftp/dev 
[root@deep /]# mkdir /home/ftp/lib 
[root@deep /]# mkdir /home/ftp/usr 
[root@deep /]# mkdir /home/ftp/usr/bin 


Step 6 
After that, we must change the mode permission on the chroot glue directories to mode 
(0111/d--x--x-—x) for security reasons: 


[root@deep /]# chmod 0111 /home/ftp/bin/ 
[root@deep /]# chmod 0111 /home/ftp/dev/ 
[root@deep /]# chmod 0111 /home/ftp/1lib/ 
[root@deep /]# chmod 0111 /home/ftp/usr/ 
[root@deep /]# chmod 0111 /home/ftp/usr/bin/ 


Step 7 

Once all permission modes of the supporting anonymous glues have been changed, it is time to 
copy the require binaries programs to the related directories in the chroot area for Wu-ftpd to 
work. Those programs are necessary to allow anonymous users to 1s, tar, and compress files 
on the anonymous FTP chroot jail server. 




















root@deep / cp /bin/1ls /home/ftp/bin/ 
root@deep / cp /bin/tar /home/ftp/bin/ 
root@deep / cp /bin/cpio /home/ftp/bin/ 
root@deep / cp /bin/gzip /home/ftp/bin/ 
root@deep / cp /usr/bin/compress /home/ftp/usr/bin/ 
root@deep / chmod 0111 /home/ftp/bin/* 
root@deep / chmod 0111 /home/ftp/usr/bin/compress 
root@deep / cd /home/ftp/bin/ 
root@deep / ln -sf gzip zcat 
NOTE: The chmod commands above will change modes of those programs to be (0111 ---x-- 


x—x) because we don’t want users to be able to modify or read the binaries in the anonymous 
chroot area but just to execute them if necessary. 





Step 8 
Find the shared libraries dependencies associated with binaries and copy them to the “11ib” 





directory in the anonymous chroot jail. These libraries are part of 1ibc, and needed by various 

programs in bin. 
root@deep / cp /lib/libcrypt.so.1 /home/ftp/lib/ 
root@deep / cp /1lib/libnsl.so.1 /home/ftp/lib/ 
root@deep / cp /lib/libc.so.6 /home/ftp/1lib/ 
root@deep / cp /lib/libtermcap.so.2 /home/ftp/1lib/ 
root@deep / cp /lib/libnss_files.so.2 /home/ftp/1lib/ 
root@deep / cp /lib/libpthread.so.0 /home/ftp/1lib/ 
root@deep / cp /lib/librt.so.1 /home/ftp/1lib/ 
root@deep / cp /1lib/ld-linux.so.2 /home/ftp/1lib/ 
root@deep / strip -R .comment /home/ftp/lib/* 
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Step 9 
Finally, create the /home/ftp/dev/nul11 file and set its mode appropriately. 


[root@deep /]# mknod /home/ftp/dev/null c 1 3 
[root@deep /]# chmod 666 /home/ftp/dev/null 


Step 10 

This step applies only if you choose to permit upload feature with anonymous FTP connection 
on the server. If you have created a special file system as explained above to allow upload into 
the anonymous FTP server area, then you'll need to have an FTP site administrator user to owns 
the files inside the /incoming directory, which is the area where we want to allow FTP 
anonymous users to uploads (this is a security feature). 


e Use the following command to create the FTP Site Administrator user. 
[root@deep /]# useradd -c "FTP Site Administrator" -u 96 -d /home/ftp -s 
/bin/false ftpadmin 2>/dev/null || 


[root@deep /]# passwd ftpadmin 

Changing password for user ftpadmin 

New UNIX password: 

Retype new UNIX password: 

passwd: all authentication tokens updated successfully 


The above command will create a null account, with no password, no valid shell, no files owned- 
nothing but a UID and a GID. 


e Now set permissions of the /home/ftp and /home/ftp/incoming areas to be: 


chown ftpadmin /home/ftp/ 

chown ftpadmin.ftpadmin /home/ftp/incoming/ 
chmod 755 /home/ftp/ 

chmod 3773 /home/ftp/incoming/ 








NOTE: The /home/ftp/incoming location is a Linux file system which has already been 
created early by you for this purpose or which will be created now to allow you to change its 
security permission. 





Step 11 

This step applies only if you choose to permit upload feature with anonymous FTP connection 
on the server. Once the FTP Site Administrator has been added to the password file, we must 
allow it to connect to the anonymous FTP server through the /etc/ftpaccess file: 


e §6Edit the ftpaccess file (vi /etc/ftpaccess) and add the following lines: 
allow-uid ftpadmin 
allow-gid ftpadmin 
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Step 12 

This step applies to both download and upload features with anonymous FTP connection on 
the server. Once permission have been granted to the ft padmin user, it’s time to deny upload 
capability into the /ftp areas and to allow it just from the /incoming area of the anonymous 
FTP server. 


e §6Edit the ftpaccess file (vi /etc/ftpaccess) and add the following clauses: 











upload /home/ftp * no 

upload /home/ftp * /dev no 

upload /home/ftp * /bin no 

upload /home/ftp * /lib no 

upload /home/ftp * /usr no 

upload /home/ftp * /usr/bin no 

# Areas where upload clauses are allowed. 

upload /home/ftp /incoming yes ftpadmin ftpadmin 0440 nodirs 


The above lines specifies to deny upload feature into all the “/ ftp” areas, and to allow uploads 
<yes> into the directory </incoming> of the anonymous FTP server to everyone with 
permission files set to <0440> but without the possibility to create new directories <nodirs> 
inside this /incoming area. It’s important to note that the owner and group permission of all files 
inside this directory will be the FTP Site Administrator user named <ftpadmin>. 


Step 13 

This step applies to both download and upload features with anonymous FTP connection on 
the server. As you’re supposed to know now, every new directories you may want to create and 
add inside the protected bubble of the FTP server and especially directories for anonymous ftp 
users must be examined to know if we need to allow download or not from these new directories. 
For anonymous FTP connection we must ensure the following: 


e §6Edit the ftpaccess file (vi /etc/ftpaccess) and add the following clauses to make 
sure no downloads occur from all of the following areas of the anonymous ftp server: 





noretrieve /home/ftp/dev/ 
noretrieve /home/ftp/bin/ 
noretrieve /home/ftp/lib/ 
noretrieve /home/ftp/usr/ 
noretrieve /home/ftp/usr/bin/ 
noretrieve /home/ftp/incoming/ 


Also because the /incoming area of the anonymous ftp server is a Linux file system, there 
will be another directory inside it named loast+found, it’s wise to prevent possible downloading 
of this directory too: 


e §6Edit the ftpaccess file (vi /etc/ftpaccess) and add the following clause: 
noretrieve /home/ftp/incoming/lost+found/ 
Step 14 
Finally, don't forget to create the special files .notar in each anonymous users directory and 


make them readable and retrievable too. Related to our anonymous example directories, these 
must be done in all of the following locations: 
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root@deep / echo “Tarring is denied” > /home/ftp/.notar 
root@deep / echo “Tarring is denied” > /home/ftp/dev/.notar 
root@deep / echo “Tarring is denied” > /home/ftp/bin/.notar 
root@deep / echo “Tarring is denied” > /home/ftp/lib/.notar 
root@deep / echo “Tarring is denied” > /home/ftp/usr/.notar 
root@deep / echo “Tarring is denied” > /home/ftp/usr/bin/.notar 
root@deep / echo “Tarring is denied” > /home/ftp/incoming/.notar 
root@deep / chmod 0444 /home/ftp/.notar 
root@deep / chmod 0444 /home/ftp/dev/.notar 
root@deep / chmod 0444 /home/ftp/bin/.notar 
root@deep / chmod 0444 /home/ftp/1lib/.notar 
root@deep / chmod 0444 /home/ftp/usr/.notar 
root@deep / chmod 0444 /home/ftp/usr/bin/.notar 
root@deep / chmod 0444 /home/ftp/incoming/.notar 

Step 15 


Restart the Wu-ftpd server for the changes to take effect. 


e To restart Wu-ftpd, use the following command: 
[root@deep /]# /etc/re.d/init.d/ftpd restart 
Stopping ftpd: [OK] 

Starting ftpd: [OK] 


Further documentation 
For more details, there are several manual pages related to Wu-ftpd that you could read: 








$ man ftpcount (1) - Show current number of users for each class 

$ man ftpwho (1) - Show current process information for each ftp user 
$ man ftpaccess (5) - ft pd configuration file 

$ man ftphosts (5) - ft pd individual user host access file 

$ man ftpconversions (5) - ftpd conversions database 

$ man xferlog (5) - FTP server logfile 

$ man ftpd (8) - Internet File Transfer Protocol server 

$ man ftpshut (8) - Close down the ftp servers at a given time 

$ man ftprestart (8) - Restart previously shutdown ftp servers 

$ man privatepw (8) - Change WU-FTPD Group Access File Information 


Wu-ftpd Administrative Tools 


The commands listed belows are some of the most used in regular use of this software, but many 
more exist. Check the manual pages for more details. 


ftpwho 

The ftpwho program utility displays all active ftp users, and their current process information 
on the system. The output of the command is in the format of the /bin/ps command. The format 
of this command is: 


e To displays all active ftp users and their current process, use the following command: 
[root@deep /]# ftpwho 
Service class openna: 
5443 ? S 0:00 ftpd: stationl.openna.com: ftpadmin: IDLE 
= 1 users ( 20 maximum) 





Here, you can see that one user is logged in, 20 users are allowed to connect, and this user has 
the username “ftpadmin” who claims to be from stationl.openna.com. 
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The ftpcount program utility, which is a simplified version of ft pwho, shows only the current 
number of users logged in to the system, and the maximum number of users allowed. 


e To shows only the current number of users logged in to the system and the maximum 
number of users allowed, use the following command: 


[root@deep /]# ftpcount 
Service class openna 


1 users ( 20 maximum 


List of installed Wu-ftpd files on your system 


> /etc/rc.d/init.d/wuftpd 
> /etc/ftpaccess 

> /etc/ftpconversions 
> /etc/ftphosts 

> /etc/logrotate.d/ftpd 
> /usr/bin/ftpcount 

> /usr/bin/ftpwho 

> /ust/sbin/in.ftpd 

> /ust/sbin/wu.ftpd 

> /ust/sbin/in.wuftpd 
> /ust/sbin/ftpshut 

> /ustr/sbin/ckconfig 
> /usr/sbin/ftprestart 
> /ust/sbin/privatepw 


> /usr/sbin/xferstats 

> /usr/share/man/man1/ftpcount. 1 

> /usr/share/man/man1/ftpwho. 1 

> /usr/share/man/man65/ftpaccess.5 
> /usr/share/man/man65/ftphosts.5 

> /usr/share/man/man65/ftpconversions.5 
> /usr/share/man/man65/ftpservers.5 
> /usr/share/man/man5/xferlog.5 

> /usr/share/man/man8/ftpd.8 

> /usr/share/man/man8/ftpshut.8 

> /usr/share/man/man8/ftprestart.8 
> /usr/share/man/man8/privatepw.8 
> /var/log/xferlog 
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In this Chapter 


Linux MM — Shared Memory Library 

Compiling - Optimizing & Installing mM 

Some static's about Apache and Linux 

Recommended RPM packages to be installed for a Web Server 
Compiling - Optimizing & Installing Apache 

Configuring Apache 

Enable PHP4 server-side scripting language with the web server 
Securing Apache 

Optimizing Apache 
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Linux MM - Shared Memory Library 


Abstract 

| recommend that you compile and install this small program only if you intend to install and use 
the Apache web server with third party modules like mod_ss1 for encrypted data, mod_per1 for 
the Perl programming language, or mod_php for the PHP server-side scripting language. This 
program will provide a significant performance to Apache modules. For instance if you need to 
install Apache with SSL support for your electronic commerce on the Internet, this will allows the 
SSL protocol to use a high-performance RAM-based session cache instead of a disk-based one. 


As explained in the [MM Shared Memory Library web site]: 

The m™ library is a 2-layer abstraction library, which simplifies the usage of shared memory 
between forked (and, in this example, strongly related) processes under Unix platforms. On the 
first layer it hides all platform dependent implementation details (allocation and locking) when 
dealing with shared memory segments, and on the second layer it provides a high-level malloc 
(3)-style API for a convenient and well known way to work with data-structures inside those 
shared memory segments. 


The library is released under the term of an open-source (BSD-style) license, because it was 
originally written as a proposal for use inside the next version of the Apache web server as a 
base library for providing shared memory pools to Apache modules (because currently, Apache 
modules can only use heap-allocated memory, which isn't shared across the pre-forked server 
processes). The requirement actually comes from comprehensive modules like mod_ss1, 
mod_perl and mod_php, which would benefit a lot from easy to use shared memory pools. 


These installation instructions assume 

Commands are Unix-compatible. 

The source path is /var/tmp (note that other paths are possible, as personal discretion). 
Installations were tested on Red Hat 7.1. 

All steps in the installation will happen using the super-user account “root”. 

Whether kernel recompilation may be required: No 

Latest MM version number is 1.1.3 


Packages 
The following is based on information as listed by MM Shared Memory Library as of 
01/07/2000. Please regularly check at www.engelschall.com/sw/mm/ for the latest status. 


Source code is available from: 


MM Homepage: http://www.engelschall.com/sw/mm/ 
You must be sure to download: mm-1.1.3.tar.gz 
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Pristine source 

If you don’t use the RPM package to install this program, it will be difficult for you to locate all 
installed files into the system in the eventuality of an updated in the future. To solve the problem, 
it is a good idea to make a list of files on the system before you install MM, and one afterwards, 
and then compare them using the diff utility of Linux to find out what files are placed where. 


e Simply run the following command before installing the software: 
root@deep /root find /* > MM1 


e And the following one after you install the software: 
root@deep /root find /* > MM2 


e Then use the following command to get a list of what changed: 
root@deep /root diff MM1 MM2 > MM-Installed 

















With this procedure, if any upgrade appears, all you have to do is to read the generated list of 
what files were added or changed by the program and remove them manually from your system 
before installing the new software. Related to our example above, we use the /root directory of 
the system to stock all generated list files. 


Compiling - Optimizing & Installing Mu 

Below are the required steps that you must make to compile and optimize the MM Shared 
Memory Library software before installing it into your Linux system. First off, we install the 
program as user 'root' so as to avoid authorization problems. 


Step 1 
Once you get the program from the main software site you must copy it to the /var/tmp 
directory and change to this location before expanding the archive. 


e These procedures can be accomplished with the following commands: 
[root@deep /]# cp mm-version.tar.gz /var/tmp/ 
[root@deep /]# ed /var/tmp/ 
[root@deep tmp]# tar xzpf mm-version.tar.gz 


Step 2 
After that, move into the newly created m™ directory then configure, compile and optimize it. 


e To move into the newly created MM directory use the following command: 
[root@deep tmp]# cd mm-1.1.3/ 


e To configure, compile and optimize m™ use the following compilation lines: 
CFLAGS="-03 -march=i686 -funroll-loops -fomit-frame-pointer” \ 
./configure \ 

--prefix=/usr \ 
--mandir=/usr/share/man \ 
--disable-shared 


This tells mm to set itself up for this particular configuration setup with: 


- Disable shared libraries. 
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WARNING: Pay special attention to the compile CFLAGS line above. We compile optimize Mm for an 
i686 CPU architecture with the parameter “-march=i686 and -mcpu=i686”. Please don’t forget 
to adjust this CFLAGS line to reflect your own system and CPU architecture. 





Step 3 

Now, we must make a list of files on the system before you install the software, and one 
afterwards, then compare them using the diff utility to find out what files are placed where and 
finally install MM Shared Memory Library in the server: 


root@deep mm-1.1.3]# make 

root@deep mm-1.1.3]# make test 

root@deep mm-1.1.3]# ed 

root@deep /root]# find /* > MM1 

root@deep /root]# ed /var/tmp/mm-1.1.3/ 
root@deep mm-1.1.3]# make install 

root@deep mm-1.1.3]# cd 

root@deep /root]# find /* > MM2 

root@deep /root]# diff MM1 MM2 > MM-Installed 








The above commands will configure the software to ensure your system has the necessary 
libraries to successfully compile the package, compile all source files into executable binaries, 
and then install the binaries and any supporting files into the appropriate locations. 








NOTE: The make test command will make some important tests on the program to verify that it 
works, and respond properly before the installation. 





Step 4 
Now, it’s time to use the following command to verify and be sure that the “--disable-shared” 
option has been properly applied during compile time to the program. 





e To verify if the program has been compiled statically, use the following command: 
[root@deep tmp]# ldd /usr/bin/mm-config 
not a dynamic executable 


If you receive a message like “not a dynamic executable”, then congratulations! 


Step 5 

Once compilation, optimization and installation of the software have been finished, we can free up 
some disk space by deleting the program tar archive and the related source directory since they 
are no longer needed. 


e Todelete mM and its related source directory, use the following commands: 
[root@deep /]# cd /var/tmp/ 
[root@deep tmp]# rm -rf mm-version/ 
[root@deep tmp]# rm -f mm-version.tar.gz 
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The rm command as used above will remove all the source files we have used to compile and 
install MM. It will also remove the MM compressed archive from the /var/tmp directory. 


Further documentation 
For more details, there are two manual pages related to this software that you could read: 


MM (3) - Shared Memory Library 
mm-config (1) - MM library configuration/build utility 


List of installed MM Shared Memory Library files on your system 


> /usr/bin/mm-config 

> /usr/include/mm.h 

> /usr/lib/libmm.la 

> /usr/lib/libmm.a 

> /usr/share/man/man1/mm-config.1 
> /usr/share/man/man3/mm.3 
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Linux Apache Web Server 


Abstract 

Apache is the most widely used HTTP-server in the world today. It surpasses all free and 
commercial competitors on the market, and provides a myriad of features; more than the nearest 
opponent could give you on a UNIX variant. It is also the most used web server for a Linux 
system. A web server like Apache, in its simplest function, is software that displays and serves 
HTML pages hosted on a server to a client browser that understands the HTML code. Mixed with 
third party modules and programs, it can become powerful software, which will provide strong and 
useful services to a client browser. 


| expect that most of the users that read this book will be especially interested in knowing how to 
install the Apache web server in the most secure, and optimized, way. In its base install, Apache 
is no more difficult to install then the other software we have installed on our Linux server. The 
procedures can become tricky when we want to add some third party modules or programs. 


There are a lot of possibilities, variants and options for installing Apache. Therefore, in the 
following, we provide some step-by-step examples where you can see how to build Apache with 
other third-party modules and programs like mod_ss1, mod_perl, PHP4, SQL database, etc. 


Of course, the building of these programs is optional, and you are free to compile only what you 
want (i.e., you may want to compile Apache with support for PHP 4, but without SSL or SQL 
database connectivity). For simplification we assume some prerequisites for each example. If 
these don't fit your situation, simply adjust the steps. 


In this chapter, we explain and cover some of the basic ways in which you can adjust the 
configuration to improve the server's performance. Also, for the interested users, we'll provide a 
procedure to be able to run Apache as a non root-user and in a chrooted environment for optimal 
security. 
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Some statistics about Apache and Linux 

People like to see statistics and benchmark of different kind. It is always interesting to know the 
last milliseconds, bits we can take from our software and servers. The following pages explains 
and show you another one about Apache and Linux but not in the way you are accustomed in 
general. The moral is that: it is not always good to try or trust benchmarks, technologies limit, 
unthinking factor, etc that may influence results, but stability of your system is something you 
must have and keep. 


What are some of the actual facts that the tests came up with? 

e With 1 CPU and 256 MB RAM, Linux & Apache achieved 1,314 http requests per second. 
First of, let's just look at an approximation of the situation that this represents: 

e 1,314 hits/sec * 3600 sec/hour * 24 hours/day = 113,529,600 hits/day. 


So Linux/Apache should be able to handle your site on a 1 CPU 256 MB RAM machine if you 
get 113 million hits per day or less. Of course, this only works if your access is 100% even, which 
is extremely unrealistic. Let's assume that your busy times get ten times more hits per second 
than your average hits/second. That means that a single CPU Linux machine with 256 meg of 
RAM should work for you if you get about 11 million hits every day (113/10 = 11.3). 


Heck, let's be more conservative. Let's say that your busy times get 100 times more hits/second 
than your average hits/second. That means that if you get 1.1 million hits per day or less, that 
same machine will serve your site just fine (113/100 = 1.13). 


OK, there's that way of looking at it, but it's not really a good way. It's a very coarse 
approximation of access patterns and what a site needs. Let's try another way of looking at this. 
Let's do some simple calculations to see what sort of bandwidth these numbers mean. Bandwidth 
will be a better and more constant method of determining whom these numbers apply to than 
guessed at hit ratios. 


The files served must be of "varying sizes", so we'll have to make some assumptions about the 
average size of the files being served. Since over 1000 files were served per second, it is pretty 
safe to work by averages. 


Some numbers: 


1,314 hits/sec * 1 kilobyte/hit * 8192 bits/kilobyte = 10764288 bits/sec = 10 MBits/sec. 
1,314 hits/sec * 2 kilobytes/hit * 8192 bits/kilobyte = 21528576 bits/sec = 21 MBits/sec. 
1,314 hits/sec * 5 kilobytes/hit * 8192 bits/kilobyte = 53821440 bits/sec = 53 MBits/sec. 
1,314 hits/sec * 10 kilobytes/hit * 8192 bits/kilobyte = 107642880 bits/sec = 107 MBits/sec. 
1,314 hits/sec * 25 kilobytes/hit * 8192 bits/kilobyte = 269107200 bits/sec = 269 MBits/sec. 


Just as a reference, a T1 line is worth approximately 1.5 MBits/sec, these numbers don't include 
TCP/IP & HTTP overhead. 


Now, what does this tell us? Well, that if you are serving up 1,314 pages per second where the 
average page is only 1 kilobyte, you'll need ten (10) T1 lines or the equivalent until the computer 
is the limiting factor. What site on earth is going to be getting a sustained >1000 hits per second 
for 1 kilobyte files? Certainly not one with any graphics in it. 


Let's assume that you're running a site with graphics in it and that you're average file is 5 
kilobytes - not too conservative or too liberal. This means that if you're serving up 1,314 of them a 
second, you'll need 53 MBits of bandwidth. And there are no peak issues here; you can't peak out 
more than your bandwidth. 
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Let's go at it another way, this time starting with our available bandwidth: 


1 T1 Line * 1.5 MBits/T1 * 1,000,000 bits/MBit * 1 kilobyte/8192 bits * 1 hit/kilobyte = 184 hits/sec. 

1 T1 Line * 1.5 MBits/T1 * 1,000,000 bits/MBit * 1 kilobyte/8192 bits * 1 hit/2 kilobytes = 92 hits/sec. 
1 T1 Line * 1.5 MBits/T1 * 1,000,000 bits/MBit * 1 kilobyte/8192 bits * 1 hit/5 kilobytes = 37 hits/sec. 
1 T1 Line * 1.5 MBits/T1 * 1,000,000 bits/MBit * 1 kilobyte/8192 bits * 1 hit/10 kilobytes = 19 hits/sec. 
1 T1 Line * 1.5 MBits/T1 * 1,000,000 bits/MBit * 1 kilobyte/8192 bits * 1 hit/25 kilobytes = 8 hits/sec. 


5 T1 Line * 1.5 MBits/T1 * 1,000,000 bits/MBit * 1 kilobyte/8192 bits * 1 hit/kilobyte = 916 hits/sec. 

5 T1 Line * 1.5 MBits/T1 * 1,000,000 bits/MBit * 1 kilobyte/8192 bits * 1 hit/2 kilobytes = 458 hits/sec. 
5 T1 Line * 1.5 MBits/T1 * 1,000,000 bits/MBit * 1 kilobyte/8192 bits * 1 hit/5 kilobytes = 183 hits/sec. 
5 T1 Line * 1.5 MBits/T1 * 1,000,000 bits/MBit * 1 kilobyte/8192 bits * 1 hit/10 kilobytes = 92 hits/sec. 
5 T1 Line * 1.5 MBits/T1 * 1,000,000 bits/MBit * 1 kilobyte/8192 bits * 1 hit/25 kilobytes = 36 hits/sec. 


3 Line * 45 MBits/T3 * 1,000,000 bits/MBit * 1 kilobyte/8192 bits * 1 hit/kilobyte = 5,494 hits/sec. 

3 Line * 45 MBits/T3 * 1,000,000 bits/MBit * 1 kilobyte/8192 bits * 1 hit/2 kilobytes = 2747 hits/sec. 
3 Line * 45 MBits/T3 * 1,000,000 bits/MBit * 1 kilobyte/8192 bits * 1 hit/5 kilobytes = 1099 hits/sec. 
3 Line * 45 MBits/T3 * 1,000,000 bits/MBit * 1 kilobyte/8192 bits * 1 hit/10 kilobytes = 550 hits/sec. 
T3 Line * 45 MBits/T3 * 1,000,000 bits/MBit * 1 kilobyte/8192 bits * 1 hit/25 kilobytes = 220 hits/sec. 


1T. 
1T. 
1T. 
1T. 
{ 


1 OC3 Line * 155 MBits/OC3 * 1,000,000 bits/MBit * 1 kilobyte/8192 bits * 1 hit/kilobyte = 18,921 hits/sec. 

1 OC3 Line * 155 MBits/OC3 * 1,000,000 bits/MBit * 1 kilobyte/8192 bits * 1 hit/2 kilobytes = 9461 hits/sec. 

1 OC3 Line * 155 MBits/OC3 * 1,000,000 bits/MBit * 1 kilobyte/8192 bits * 1 hit/5 kilobytes = 3785 hits/sec. 

1 OC3 Line * 155 MBits/OC3 * 1,000,000 bits/MBit * 1 kilobyte/8192 bits * 1 hit/10 kilobytes = 1,893 hits/sec. 
1 OC3 Line * 155 MBits/OC3 * 1,000,000 bits/MBit * 1 kilobyte/8192 bits * 1 hit/25 kilobytes = 757 hits/sec. 








NOTE: These numbers don't include TCP/IP or HTTP overhead. 





It is clear that the numbers are only significant when you have the equivalent bandwidth of over 6 
T1 lines. Let's be clear about this: if you have only five (5) T1 lines or less, a single CPU Linux 
machine with 256 MB RAM will wait on your internet connection and not be able to serve up to 
its full potential. 


Let me re-emphasize this: A single CPU Linux machine with 256 MB RAM running Apache will 
run faster than your internet connection! Put another way, if your site runs on five (5) T1 lines 
or less, a single CPU Linux machine with 256 MB RAM will more than fulfill your needs with 
CPU cycles left over. 


Let's make an assumption that you either (a) have pages with more than about a screen of text or 
(b) black and white pictures that make your average file size 5K. Given this, would indicate that a 
single CPU Linux machine with only 256 MB RAM running Apache would be constantly waiting 
on your T3 line. In other words, a single CPU Linux machine with 256 MB RAM will serve your 
needs with room to grow if your site is served by a T3 line or less. 


One might also conclude that if you serve things like colour pictures (other than small buttons and 


doodads) and thus your average file size is 25K, a single CPU Linux machine with 256 MB RAM 
will serve your site just fine even if you are served by an OC3 line that you have all to your self. 
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Recommended RPM packages to be installed for a Web Server 

A minimal configuration provides the basic set of packages required by the Linux operating 
system. Minimal configuration is a perfect starting point for building secure operating system. 
Below is the list of all recommended RPM packages required to run properly your Linux server as 
a Web Server running on Apache software. 


This configuration assumes that your kernel is a monolithic kernel. Also | suppose that you will 
install Apache by RPM package. Therefore, apache RPM package is already included in the list 
below as you can see. There are seven other interesting RPM packages to install with Apache. 
These packages freetype, gd, libjpeg, libpng, libtool-libs, aspell and pspel1 will 
allow the Web Server to run fine with external programs that you might install in the future. All 
security tools are not installed, it is yours to install them as your need by RPM packages too since 
compilers packages are not installed and included in the list. 





apache 
e2fsprogs 
iptables 
openssh 
slocate 


aspell 

ed 

kernel 
openssh-server 
sysklogd 


basesystem 
file 

less 
openssl 
syslinux 


bash 
filesystem 
libjpeg 
pam 
SysVinit 


bdflush 
fileutils 
libpng 
passwd 
tar 


bind 
findutils 
libstdc++ 
perl 
termcap 
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bzip2 
freetype 
libtermcap 
popt 
textutils 


chkconfig 
gawk 
libtool-libs 
procps 
tmpwatch 


console-tools 
gd 

lilo 

psmisc 
utempter 


cpio 

gdbm 
logrotate 
pspell 
util-linux 


cracklib 
gettext 
losetup 
pwdb 
vim-common 


cracklib-dicts 
glib 

MAKEDEV 

qmail 
vim-minimal 


crontabs 
glibc 

man 
readline 
vixie-cron 


db1 
glibc-common 
mingetty 
rootfiles 
words 


db2 
grep 
mktemp 
rpm 
which 


db3 
grofft 
mount 
sed 
Zlib: 


dev 

gzip 
ncurses 
sh-utils 


devfsd 

info 
net-tools 
shadow-utils 
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diffutils 
initscripts 
newt 

slang 


Tested and fully functional on OpenNA.com. 
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Web Server 









Router 
207.35.78.1 


External HUB 


_t_ a” = a 
SQL Server Directory Server 
207.35.78.9 207.35.78.3 207.35.78.8 


Apache with SSL & PHP support enable 
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These installation instructions assume 

Commands are Unix-compatible. 

The source path is /var/tmp (note that other paths are possible, as personal discretion). 
Installations were tested on Red Hat 7.1. 

All steps in the installation will happen using the super-user account “root”. 

Whether kernel recompilation may be required: No 

Latest Apache version number is 1.3.20 

Latest Mod_SSL version number is 2.8.4-1.3.20 

Latest Mod_Per1 version number is 1.25 

Latest PHP version number is 4.0.5 


Packages 

The following are based on information as listed by Apache as of 2001/05/26, mod_ss1 as of 
2001/05/26, mod_perl as of 2001/03/16, and PHP as of 2001/05/16. Please regularly check at 
www.apache.org, www.modssl.org, perl.apache.org, and www.php.net for the latest status. 


Source codes are available from: 

Apache Homepage: http:/(www.apache.org/ 

Apache FTP Site: 198.3.136.138 

You must be sure to download: apache_1.3.20.tar.gz 
Mod_SSL Homepage: http://www.modssl.org/ 

Mod_SSL FTP Site: 129.132.7.171 

You must be sure to download: mod_ss1-2.8.4-1.3.20.tar.gz 


Mod_Per1 Homepage: http://perl.apache.org/ 
You must be sure to download: mod_perl-1.25.tar.gz 


PHP Homepage: http://www.php.net/ 
You must be sure to download: php-4.0.5.tar.gz 





Prerequisites 

Apache requires that the listed software below be already installed on your system to be able to 
compile successfully. If this is not the case, you must install them from your Linux CD-ROM or 
source archive files. Please make sure you have all of these programs installed on your machine 
before you proceed with this chapter. 


¥ OpenSSL should be already installed on your system if you want Apache and SSL 
encryption support. 


¥ An SQUl database of your choice should be already installed on your system if you want 
Apache with PHP4 and SOL database connectivity support. 


¥ MM Shared Memory Library should be already installed on your system if you want 
Apache and mM high-performance RAM-based session cache support. 


¥ OpenLDAP should be already installed on your system if you want Apache with PHP4 and 
LDAP directory connectivity support. 


¥ Sendmail or gmail should be already installed on your system if you want Apache with 
mail capability. 


v¥ IMAP & POP should be already installed on your system if you want Apache with PHP4 
and IMAP & POP capability. 
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lib jpeg package, which contains a library of functions for manipulating JPEG images. 








libpng package, which contains a library of functions for creating and manipulating PNG 
image format files. 


freetype package, a library which can open and manages font files as well as 
efficiently load, hint and render individual glyphs. 


gd package, which is a graphics library for drawing GIF files. 


aspell package, which is a spelling checker program. 











pspell package, which is a portable spell checker interface library. 





1ibtool-libs package, which contains the runtime libraries for GNU libtool. 





To verify if 1ibjpeg package is installed on your system, use the command: 
[root@deep /]# rpm -q libjpeg 
package libjpeg is not installed 


To verify if 1ibpng package is installed on your system, use the command: 
[root@deep /]# rpm -q libpng 
package libpng is not installed 


To verify if freet ype package is installed on your system, use the command: 
[root@deep /]# rpm -q freetype 
package freetype is not installed 


To verify if gd package is installed on your system, use the command: 
[root@deep /]# rpm -q gd 
package gd is not installed 


To verify if aspel1 package is installed on your system, use the command: 
[root@deep /]# rpm -q aspell 
package aspell is not installed 


To verify if pspe11 package is installed on your system, use the command: 
[root@deep /]# rpm -q pspell 
package pspell is not installed 


To verify if lLibtool-1libs package is installed on your system, use the command: 
[root@deep /]# rpm -q libtool-libs 
package libtool-libs is not installed 








To mount your CD-ROM drive before installing all require packages, use the command: 
[root@deep /]# mount /dev/cdrom /mnt/cdrom/ 
mount: block device /dev/cdrom is write-protected, mounting read-only 


To install the 1ib4jpeg package on your Linux system, use the following command: 
[root@deep /]# cd /mnt/cdrom/RedHat /RPMS/ 

[root@deep RPMS]# rpm —-Uvh libjpeg-version.i386.rpm 

libjpeg HGH HE EEE HE EEE EE HE HE EE HEE EE HE ERE EH RE EE HEH EE HEE HE 
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e To install the 1ibpng package on your Linux system, use the following command: 
[root@deep RPMS]# rpm —-Uvh libpng-version.i386.rpm 
libpng HHT HEH HH EE EEE EE HE HHH EE EEE EE EE HEE EE EEE RE EH RE EE EEE 


e To install the freet ype package on your Linux system, use the following command: 
[root@deep RPMS]# rpm —-Uvh freetype-version.i386.rpm 
freetype HEHE HE HEE EE HE HE EE HEE EE EE HE EE HEE EE HE HEE EE HE HE 


e To install the gd package on your Linux system, use the following command: 
[root@deep RPMS]# rpm —-Uvh gd-version.i386.rpm 
gd HEHE HEH EE EE HE HE HE HEE EE HE EE EE HEH EE EE HE EE HEH HE 


e To install the aspe11 package on your Linux system, use the following command: 
[root@deep RPMS]# rpm —-Uvh aspell-version.i386.rpm 
aspell HEE EH HE HE EEE HE HE HE HE EEE EE EE HR EE EEE EE EH HE EE EEE 











e To install the pspel11 package on your Linux system, use the following command: 
[root@deep RPMS]# rpm —-Uvh pspell-version.i386.rpm 
pspell HEE HEE HHH HE EEE EE EEE HE EE EEE EE EEE RE HE EEE EE EEE RE EE EEE 


e To install the 1ibtool-1libs package on your Linux system, use the command: 
[root@deep RPMS]# rpm -Uvh libtool-libs-version.i386.rpm 
Libtool-libs ##FHHEEREEE EEE EE EEE EE EE EEE EE EEE HE EE HEHE EE HEE HE EE HERE 


e To unmount your CD-ROM drive, use the following command: 
[root@deep RPMS]# ed /; umount /mnt/cdrom/ 

















NOTE: For more information on the required software, see their related chapters in this book. 





Pristine source 

If you don’t use the RPM package to install this program, it will be difficult for you to locate all 
installed files into the system in the eventuality of an updated in the future. To solve the problem, 
it is a good idea to make a list of files on the system before you install Apache, and one 
afterwards, and then compare them using the diff utility of Linux to find out what files are 
placed where. 


e Simply run the following command before installing the software: 
root@deep /root find /* > Apachel 


e And the following one after you install the software: 
root@deep /root find /* > Apache2 


e Then use the following command to get a list of what changed: 
root@deep /root diff Apachel Apache2 > Apache-Installed 

















With this procedure, if any upgrade appears, all you have to do is to read the generated list of 
what files were added or changed by the program and remove them manually from your system 
before installing the new software. Related to our example above, we use the /root directory of 
the system to stock all generated list files. 
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Compiling - Optimizing & Installing Apache 

Below are the required steps that you must make to compile, configure and optimize the Apache 
software with other third-party modules and programs (if needed) before installing it into your 
Linux system. First off, we install the program as user 'root' so as to avoid authorization problems. 


Step 1 

Once you get the entire needed programs from the main software site you must copy them to the 
/var/tmp directory and change to this location before expanding the archives. Below | suppose 
all of the following: Apache, mod_ssl, mod_perl, and PHP4. 


e These procedures can be accomplished with the following commands: 
root@deep / cp apache_version.tar.gz /var/tmp/ 
root@deep / cp mod_ssl-version-version.tar.gz /var/tmp/ 
root@deep / cp mod_perl-version.tar.gz /var/tmp/ 
root@deep / cp php-version.tar.gz /var/tmp/ 

root@deep /]# cd /var/tmp/ 

root@deep tmp]# tar xzpf apache_version.tar.gz 

root@deep tmp]# tar xzpf mod_ssl-version-version.tar.gz 
root@deep tmp]# tar xzpf mod_perl-version.tar.gz 
root@deep tmp]# tar xzpf php-version.tar.gz 


] 
] 
] 
] 








Step 2 

Apache web server, like many applications that we have installed, cannot be run as super-user 
“root” for security reasons. We must create a special user that has minimal access to the 
system, and still functions enough to run the Apache web Server. It is best to choose and create 
a new user just for the purpose of running the Web Server daemon. 


e Tocreate the Apache user, use the following command: 
[root@deep tmp]# useradd -c “Apache Server” -u 80 -s /bin/false -r -d 
/home/httpd www 2>/dev/null || 


The above command will create a null account, with no password, no valid shell, no files owned- 
nothing but a UID anda GID. 


Step 3 

Apply mod-ss1 to Apache source tree 

This section applies only if you choose to install mod_ss1 with Apache in your system. If you 
want to use and include the SSL data encryption support in your Apache Web Server, then move 
into the new mod_ss1 source directory and type the following commands on your terminal: 


e Tomove into the new mod_ss1 source directory, use the following command: 
[root@deep tmp]# ed mod_ss1-2.8.4-1.3.20/ 


e Toconfigure mod_ss1 and include its codes into Apache, use the following compilation: 
CFLAGS="-03 -march=i686 -mcpu=i686 -funroll-loops -fomit-frame-pointer" \ 
./configure \ 

with-apache=../apache_1.3.20 \ 
--with-crt=/usr/share/ssl/certs/my.domain.com.crt \ 
—-with-key=/usr/share/ssl/private/my.domain.com.key 
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The “--with-apache” option specifies the location of the Apache source directory (it’s 
important to note that we suppose your Apache version in this example is 1.3.20), the “—- 
with-crt” option specifies the location of your existing public key for SSL encryption, and the “- 
-with-key” option specifies the location of your existing private key for SSL encryption. 








WARNING: OpenSSL software must already be installed on your server, and your public and 
private keys must already be existent or be created on your server, or you'll receive an error 
message during the configuration time of mod_ss1. See the chapter related to OpenSSL in this 
book for more information on the subject. 





Step 4 

Improve the MaxClients Parameter of Apache 

By default in the Apache configuration file (httpd.conf) the maximum number you can set for 
the MaxClients Parameter is 256. For a busy site, and for better performance, it’s 
recommended that you increase the limit of this parameter. You can do it by editing the 
src/include/httpd.h file in the source directory of Apache and change the default value. 


e To move into the Apache source directory use the following command: 
[root@deep mod_ssl1-2.8.4-1.3.20]# ed ../apache_1.3.20/ 


e §=6Edit the httpd.h file (vi +334 src/include/httpd.h), changing the line: 





#define HARD _SERVER_LIMIT 256 











To read: 














#define HARD_SERVER_LIMIT 1024 








WARNING: If you configure Apache without mod_ss1 support, then the line to edit to change the 
default value will be 317 instead of 334. 





Step 5 

Pre-configure Apache for PHP4’s configure step 

This section applies only if you chose to install and use PHP4 with Apache in your system. If you 
want to use and include the PHP4 server-side scripting language support on your Apache web 


server, then move into the new Apache source directory if you are not already in it and type the 
following commands on your terminal: 


e Tomove into Apache source directory, use the following command: 
[root@deep /]# cd /var/tmp/apache_1.3.20/ 


e To pre-configure PHP4 and include its codes into Apache, use the following compilation: 
OPTIM="—-03 -march=i686 -mcpu=i686 -funroll-loops -fomit-—frame-pointer" \ 
CFLAGS="—-DDYNAMIC_MODULE_LIMIT=0" \ 

./configure \ 
prefix=/home/httpd \ 
--bindir=/usr/bin \ 
—-sbindir=/usr/sbin \ 
—-libexecdir=/usr/lib/apache \ 
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--includedir=/usr/include/apache \ 
—-sysconfdir=/etc/httpd/conf \ 
--localstatedir=/var \ 
—-runtimedir=/var/run \ 
—-logfiledir=/var/log/httpd \ 
—-datadir=/home/httpd \ 
—-proxycachedir=/var/cache/httpd \ 
--mandir=/usr/share/man 








WARNING: This step is necessary only if you want to include PHP4 support in your Apache source 
code, since it'll pre-configure Apache for PHP4’s configure step below. Take a note that the “- 
DDYNAMIC_MODULE_LIMIT=0” option will disable the use of dynamically loaded modules in the 
compilation of Apache, and will improve its performance. 








Step 6 

Configure PHP4 and apply it to the Apache source tree 

This section applies only if you chose to install and use PHP4 with Apache in your system. Once 
we have pre-configured Apache to support PHP4 features, it is time to move into the new 
uncompressed PHP4 source directory then configure, optimize, compile and install it in the Linux 
server by using the following commands on your terminal: 


e Tomove into the new PHP4 source directory, use the following command: 
[root@deep /]# cd /var/tmp/php-4.0.5 


e Toconfigure PHP4 and include its codes into Apache, use the following compilation lines: 
CFLAGS="-03 -march=1686 -mcpu=1686 -—funroll-loops -—fomit-—frame-pointer 
T/usr/include/openssl" \ 

./configure \ 

—-prefix=/usr \ 
with-exec-dir=/usr/bin \ 
with-apache=../apache_1.3.20 \ 
with-config-file-path=/etc/httpd \ 

-—-with-gd \ 

--with-ttf \ 

--with-jpeg \ 

--with-png \ 

--with-mm \ 

—-with-imap-ssl \ (if you want SSL support in IMAP). 

--with-imap \ (if you want IMAP « POP support). 

-—-with-ldap \ (if you want LDAP database light directory support). 

--with-pgsql \ (if you want PostgreSQL database support). 

-—-with-mysql=/usr \ (if you want MySOL database support). 

--with-gettext \ 

--with-zlib \ 

-—-with-pspell \ (if you want a spell checker for specific applications) 

nable-inline-optimization \ 
--enable-bcmath 









































This tells PHP4 to set itself up for this particular configuration setup with: 


- Include GD support. 

- Include Freet ype support. 
- Include JPEG support for GD. 
- Include PNG support for GD. 
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- Include mm support for session storage. 

- Include SSL support in IMAP 

- Include IMAP & POP support. 

- Include LDAP directory support. 

- Include PostgresSQL database support. 

- Include MySQL database support. 

- Include GNU gettext support for Multilanguage. 

- Include zlib support. 

- Include PSPELL support for spell checker on third party program. 

- Enable inline-optimization for better performance (only if you have much memory). 
- Enable and compile with bc style precision math function for better performance. 











Step 7 

This section applies only if you chose to install and use PHP4 with Apache in your system. Now, 
we must make a list of files on the system before you install the software, and one afterwards, 
then compare them using the diff utility to find out what files are placed where and finally install 
PHP4 in the server. 


root@deep php-4.0.5]# make 

root@deep php-4.0.5]# cd 

root@deep /root]# find /* > PHP1 

root@deep /root]# cd /var/tmp/php-4.0.5/ 
root@deep php-4.0.5]# make install 

root@deep php-4.0.51]# cd 

root@deep /root]# find /* > PHP2 

root@deep /root]# diff PHP1 PHP2 > PHP-Installed 











The above commands will configure the software to ensure your system has the necessary 
libraries to successfully compile the package, compile all source files into executable binaries, 
and finally install the binaries and any supporting files into the appropriate locations. 


Step 8 

Apply mod_per1 to Apache source tree and build/install the Perl-side of mod_perl 
This section applies only if you chose to install and use mod_per1 with Apache in your system. If 
you want to use and include Perl programming language support in your Apache Web Server 
then, move into the new uncompressed mod_perl source directory and type the following 
commands on your terminal: 


e Tomove into the new mod_perl source directory, use the following command: 
[root@deep /]# cd /var/tmp/mod_perl-1.25/ 


e Toconfigure mod_perl and include its codes into Apache, use the compilation lines: 
perl Makefile.PL \ 

EVERYTHING=1 \ 

APACHE_SRC=../apache_1.3.20/srce \ 

USE_APACI=1 \ 

PREP_HTTPD=1 \ 

DO_HTTPD=1 




















The <Makefile.PL> command will search for Apache source trees to configure mod_perl, 
<DO_HTTPD=1> will avoid to configure and build httpd daemon, <EVERYTHING=1> will enable 
all callback hooks arguments. 














Step 9 
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This section applies only if you chose to install and use mod_perl with Apache in your system. 
Now, we must make a list of files on the system before you install the software, and one 
afterwards, then compare them using the diff utility to find out what files are placed where and 
finally install mod_per1 in the server. 


root@deep mod_perl-1.25]# make 

root@deep mod_perl-1.25]# ed 

root@deep /root]# find /* > ModPerll 

root@deep /root]# cd /var/tmp/mod_perl-1.25/ 

root@deep mod_perl-1.25]# make install 

root@deep mod_perl-1.25]# ed 

root@deep /root]# find /* > ModPer12 

root@deep /root]# diff ModPerll ModPerl2 > ModPerl-Installed 





The above commands will configure the software to ensure your system has the necessary 
libraries to successfully compile the package, compile all source files into executable binaries, 
and finally install the binaries and any supporting files into the appropriate locations. 


Step 10 

Build/Install Apache with/without mod_ss1 +- PHP4 and/or mod_perl support 
Once you have included in your Apache source the third party modules that you want to support 
and use, it is time to configure, compile, optimize and install them into your Linux system. The 
next step is to move into the Apache source directory and type the following commands on your 
terminal depending on what you want to install with Apache. 


For people that just want to configure, compile and install Apache without any other third-party 
modules or programs, you must start directly from here. 


e Tomove into Apache source directory, use the following command: 
[root@deep /]# cd /var/tmp/apache_1.3.20/ 


e Tobuild Apache with all the require support programs, use the following compilation: 
SSL_BASE=SYSTEM \ (only for mod_ss1 support). 

EAPI_MM=SYSTEM \ (only formm Shared Memory Library support). 
OPTIM="—-03 -march=i686 -mcpu=i686 -funroll-loops -fomit-—frame-pointer" \ 
CFLAGS="-DDYNAMIC_MODULE_LIMIT=0" \ 
./configure \ 

prefix=/home/httpd \ 
--bindir=/usr/bin \ 
—-sbindir=/usr/sbin \ 
—-libexecdir=/usr/lib/apache \ 
--includedir=/usr/include/apache \ 
—-sysconfdir=/etc/httpd/conf \ 
--localstatedir=/var \ 
—-runtimedir=/var/run \ 
-—-logfiledir=/var/log/httpd \ 
—-datadir=/home/httpd \ 
—-proxycachedir=/var/cache/httpd \ 
--mandir=/usr/share/man \ 
—-add-module=src/modules/experimental/mod_mmap_static.c \ (only for mod_mmap). 
-—-add-module=src/modules/standard/mod_auth_db.c \ (only for mod_auth_db support). 

nable-module=ss1 \ (only for mod_ss1 support). 

nable-rule=SSL_SDBM \ (only for mod_ss1 support). 

disable-rule=SSL_COMPAT \ (only for mod_ssi1 support). 
--activate-module=src/modules/php4/libphp4.a \ (only for PHP4 support). 

nable-module=php4 \ (only for PHP4 support). 
--activate-module=src/modules/perl/libperl.a \ (only for mod_perl support). 

nable-module=perl \ (only for mod_perl support with Apache). 
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--disable-module=status \ 


disable-module=userdir \ 





—-disable-module=negotiation \ 


—-disable-module=autoindex \ 





disable-module=imap \ 


—-server-uid=www \ 
—-server-gid=www 
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This tells Apache to set itself up for this particular configuration setup with: 


- Enable module mod_mmap to improve performance on download time. 

- Enable module mod_auth_db for users password authentication security. 

- Enable module mod_ss1 for data encryptions and secure communication. 

- Enable module mod_php4 for php server-side scripting language. 

- Enable module mod_per1 for better security and performance than the default cgi scripts. 
- Disable module status 

- Disable module userdir 

- Disable module negotiation 
- Disable module autoindex 
- Disable module imap 








WARNING: It’s important to note that removing all unneeded modules during the configure time of 
Apache will improve the performance of your Web Server. In our configuration, we’ve removed 
the most unused modules both to lower the load operation, and limit the security risks in our 
Apache Web Server. See your Apache documentation for information on each one. 





Step 11 


Now, we must make a list of files on the system before you install the software, and one 
afterwards, then compare them using the diff utility to find out what files are placed where and 
finally install Apache in the server. 


root @deep 
root @deep 
root @deep 
root @deep 
root @deep 
root @deep 
root @deep 
root @deep 
root @deep 
root @deep 
root @deep 
root @deep 
root @deep 
root @deep 
root @deep 
root @deep 
root @deep 
root @deep 
root @deep 
root @deep 
root @deep 
root @deep 
root @deep 
root @deep 
root @deep 





apac 
apac 
/LOO 
/ LOO 
apac 
apac 
apac 
apac 
apac 
apac 
apac 
apac 
apac 
apac 
apac 
apac 
apac 
apac 
apac 
apac 
apac 
apac 
apac 
apac 
php- 


t]l# ed 








LC brs 


4.0. 


he_1.3. 
he_1.3. 
tl]# find /* > Apachel 


he_1.3. 
3.20 
3.20 
3.20 
3.20 
332.0 
3.20 
3.20 
3.20 
1.3.20 
he_1.3. 
3 
3 
3 
3 
3 
3 
3 
3 
3 
] 


20 
20 


make 


cd 


/var/tmp/apache_1.3.20/ 
make install 


20 


20 


20 
.20 
.20 
20 
.20 
.20 
20 
.20 
.20 
# install -m644 php.ini-dist /etc/httpd/php.ini 











rm 
rm 
rm 
rm 
rm 
rm 
rm 
rm 
rm 
rm 
rm 
rm 
rm 
rm 
rm 
rm 
rm 
rm 
cd 


-£ /usr/sbin/apachectl 

-f£ /usr/share/man/man8/apachect1.8 
-rf /home/httpd/icons/ 

-rf /home/httpd/htdocs/ 

-£ /home/httpd/cgi-bin/printenv 

-£ /home/httpd/cgi-bin/test-—cgi 

-rf /var/cache/httpd/ 

-rf /etc/httpd/conf/ssl.crl1/ 

-rf /etc/httpd/conf/ssl.crt/ 

-rf /etc/httpd/conf/ssl.csr/ 

-rf /etc/httpd/conf/ssl.key/ 

-rf /etc/httpd/conf/ssl.prm/ 

-£ /etc/httpd/conf/srm.conf 

-£ /etc/httpd/conf/srm.conf.default 
-£ /etc/httpd/conf/access.conf 

-£ /etc/httpd/conf/access.conf.default 
-£ /etc/httpd/conf/mime.types.default 
-£ /etc/httpd/conf/magic.default 
/var/tmp/php-4.0.5/ 
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[root@deep php-4.0.5]# ed 
[root@deep /root]# find /* > Apache2 
[root@deep /root]# diff Apachel Apache2 > Apache-Installed 


The make command will compile all source files into executable binaries, and make insta11 will 
install the binaries and any supporting files into the appropriate locations. The rm -£ command 
will remove the small script “apachect 1” responsible to start and stop the Apache daemon since 
we use a better script named “httpd” located under the /etc/rc.d/init.d/ directory that 
takes advantage of Linux system V. 


We also remove the /home/httpd/icons directory needed under Apache when you use its 
automatic indexing feature. This feature can bring about a security risk, and for this reason we’ve 
disabled it in the configuration file. Therefore, we can safely remove the directory to make space 
on the Linux server. The /home/httpd/htdocs directory handles all documentation files 
related to Apache, so after we have finished reading the documentation we can remove it to gain 
space. 


The install -m command will install the php. ini-optimized file under the /etc/httpd 
directory, and will rename it php.ini; this file controls many aspects of PHP's behavior and will 
exist only if you have configured Apache with PHP4 support. The ssl.crl, ssl.crt, ssl.csr, 
ssl.key, and ssl.prm directories under /etc/httpd/conf are all of the directories related to 
SSL, and handle private and public keys as well as other thing related to SSL features. Since we 
use another location, /usr/share/ss1, we can remove them safely. As for PHP 4 support, these 
directories will exist only if you have configured Apache with mod_ss1 support. 


Finally, we remove the unneeded srm. conf, srm.conf.default, access.conf 
mime.types.default, magic.default, and access.conf.default files, whose purposes 
are now handled by the httpd.conf Apache configuration file. 


Step 12 

Once compilation, optimization and installation of the software have been finished, we can free up 
some disk space by deleting the program tar archives and the related source directories since 
they are no longer needed. 


e To delete all programs and their related source directories, use the following commands: 
root@deep /]# cd /var/tmp/ 

root@deep tmp rm -rf apache-version/ 

root@deep tmp rm -f apache-version.tar.gz 

root@deep tmp rm -rf mod_ssl-version-version/ 

root@deep tmp rm -f£f mod_ssl-version-version.tar.gz 

root@deep tmp rm -rf php-version/ 

root@deep tmp rm -f php-version.tar.gz 

root@deep tmp rm -rf mod_perl-version/ 

root@deep tmp rm -f£ mod_perl-version.tar.gz 

















The rm commands as used above will remove all the source files we have used to compile and 
install Apache, mod_ssl1, mod_perl, and PHP4. It will also remove the Apache, mod_ssl, 
mod_perl, and PHP4 compressed archives from the /var/tmp directory. 
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Configuring Apache 

Configuration files for different services are very specific depending on your needs, and your 
network architecture. Someone might install Apache Server for showing web pages only; another 
might install it with database connectivity and e-commerce with SSL support, etc. Later, | provide 
a working httpd.conf file, with PHP4, Perl, SSL, and password authentication settings, to 
show you different possibilities but don’t forget to use only the ones you need. 


We'll focus on optimization and security of these files, and leave all specific adjustments to your 
tastes. You will need to read the documentation that comes with these programs, and hopefully 
understand them. 


After building Apache, your next step is to verify or change, if necessary options in your Apache 
configuration files. Those files are: 


¥ /etc/httpd/conf/httpd.conf (The Apache Configuration File) 
¥ /etc/logrotate.d/httpd (The Apache Log Rotation File) 
¥ /etc/re.d/init.d/httpd (The Apache Initialization File) 


/etc/httpd/conf/httpd.conf: The Apache Configuration File 

The httpd.conf file is the main configuration file for the Apache Web Server. A lot options 
exist, and it’s important to read the documentation that comes with Apache for more information 
on different settings and parameters. 


The following configuration example is a full working configuration file for Apache, with SSL and 
PHP4 support. Also, it’s important to note that | only comment parameters that relate to security 
and optimization, and leave all the others to your own research. We must change the default one 
to fit our requirements and operating system. The text in bold are the parts of the configuration file 
that must be customized and adjusted to satisfy our needs. 


e §6Edit the httpd.conf file (vi /etc/httpd/conf/httpd.conf) and set your needs: 


### Section 1: Global Environment 
# 

ServerType standalone 
ServerRoot "/etc/httpd" 
PidFile /var/run/httpd.pid 
ResourceConfig /dev/null 
AccessConfig /dev/null 
Timeout 300 

KeepAlive On 
MaxKeepAliveRequests 0 
KeepAliveTimeout 15 
MinSpareServers 16 
MaxSpareServers 64 
StartServers 16 

MaxClients 512 
MaxRequestsPerChild 100000 


### Section 2: 'Main' server configuration 
# 

<IfDefine SSL> 

Listen 207.35.78.3:80 

Listen 207.35.78.3:443 

</IfDefine> 


User www 
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Group www 

ServerAdmin webadmin@openna.com 
ServerName www.openna.com 
DocumentRoot "/home/httpd/openna" 


<Directory /> 
Options None 
AllowOverride None 
Order deny, allow 
Deny from all 
</Directory> 


<Directory "/home/httpd/openna"> 
Options None 
AllowOverride None 
Order allow, deny 
Allow from all 
</Directory> 


<Files .pl> 
Options None 
AllowOverride None 
Order deny, allow 
Deny from all 
</Files> 


<IfModule mod_dir.c> 
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DirectoryIndex index.htm index.html index.php index.php3 index.shtml 


</IfModule> 


#<IfModule mod_include.c> 
#Include conf/mmap.conf 
#</I£fModule> 


UseCanonicalName On 

<IfModule mod_mime.c> 

TypesConfig /etc/httpd/conf/mime.types 
</I£Module> 


DefaultType text/plain 
HostnameLookups Off 


ErrorLog /var/log/httpd/error_log 
LogLevel warn 


LogFormat "th %1 Su %t \"Sr\" %>s %b \"%{Referer}i\" \"%{User—-Agent }i\"" 


combined 

LogFormat "%h %1 %u %t \"Sr\" %3>s %b" common 
LogFormat "%{Referer}i -> %U" referer 
LogFormat "%{User-agent}i" agent 

CustomLog /var/log/httpd/access_log common 


ServerSignature Off 


<IfModule mod_alias.c> 
ScriptAlias /cgi-bin/ "/home/httpd/cgi-bin/" 
<Directory "/home/httpd/cgi-bin"> 
AllowOverride None 
Options None 
Order allow,deny 
Allow from all 
</Directory> 
</I£Module> 
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<IfModule mod_mime.c> 

AddEncoding x-compress Z 

AddEncoding x-gzip gz tgz 

AddType application/x-tar .tgz 

#AddType application/x-httpd-php .php 
#AddType application/x-httpd-php .php3 
#AddType application/x—-httpd-php-source .phps 
</IfModule> 


ErrorDocument 404 http://www.openna.com/error.htm 
ErrorDocument 403 "Access Forbidden -- Go away. 


<IfModule mod_setenvif.c> 

BrowserMatch "Mozilla/2" nokeepalive 

BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0 
BrowserMatch "RealPlayer 4\.0" force-response-1.0 

BrowserMatch "Java/1\.0" force-response-1.0 

BrowserMatch "JDK/1\.0" force-response-1.0 

</If£Module> 


### Section 3: Virtual Hosts 
# 
NameVirtualHost 207.35.78.3:80 


<VirtualHost 207.35.78.3:80> 
ServerAdmin webadmin@openna.com 
ServerName www.openna.com 
DocumentRoot "/home/httpd/openna" 


ErrorLog /var/log/httpd/error_openna_log 
TransferLog /var/log/httpd/access_openna_log 
</VirtualHost> 


## SSL Global Context 

# 

<IfDefine SSL> 

AddType application/x—-x509-ca-cert .crt 
AddType application/x-pkcs7-crl .crl 
</IfDefine> 


<IfModule mod_ssl.c> 

SSLPassPhraseDialog builtin 

SSLMutex sem 

SSLRandomSeed startup file:/dev/urandom 1024 
SSLRandomSeed connect builtin 


SSLSessionCache shm: /var/run/ssl1_scache (512000) 
SSLSessionCacheTimeout 300 

SSLLog /var/log/httpd/ssl_engine_log 
SSLLogLevel warn 

</IfModule> 


## SSL Virtual Host Context 

# 

<IfDefine SSL> 

NameVirtualHost 207.35.78.3:443 


<VirtualHost 207.35.78.3:443> 
ServerAdmin webadmin@openna.com 
ServerName www.openna.com 


DocumentRoot "/home/httpd/openna" 


ErrorLog /var/log/httpd/error_openna_log 
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TransferLog /var/log/httpd/access_openna_log 
SSLEngine on 


SSLCipherSuite ALL: !ADH:RC4+RSA:+HIGH:+MEDIUM: +LOW:+SSLv2:+EXP : +eNULL 
SSLCertificateFile /usr/share/ssl/certs/www.crt 
SSLCertificateKeyFile /usr/share/ssl/private/www.key 
SSLVerifyClient none 

SSLVerifyDepth 10 


SetEnvIf User-Agent ".*MSIE.*" \ 
nokeepalive ssl-unclean-shutdown \ 
downgrade-1.0 force-response-1.0 


CustomLog /var/log/httpd/ssl_request_log \ 

"St th %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"Sr\" %b" 
</VirtualHost> 
</IfDefine> 


This tells httpd.conf file to set itself up for this particular configuration setup with: 


ServerType standalone 

This option “ServerType” specifies how Apache should run on the system. You can run it from 
the super-server xinetd, or as standalone daemon. It’s highly recommended to run Apache in 
standalone type for best performance and speed. Loading the httpd daemon, as a standalone 
daemon will eliminate load time and will even reduce swapping since non-library code will be 
shared. This is a performance feature. 


ServerRoot "/etc/httpd" 

This option “ServerRoot” specifies the directory in which the configuration files of the Apache 
server lives. It allows Apache to know where it can find its configuration files when it starts. In our 
setup, this file is located under /etc/httpd/conf directory and it’s named httpd.conf. 


PidFile /var/run/httpd.pid 

This option “PidFile” specifies the location where the server will record the process id of the 
daemon when it starts. This option is only required when you configure Apache in standalone 
mode as we do. 


ResourceConfig /dev/null 

This option “ResourceConfig” specifies the location of the old srm. conf file that Apache read 
after it finished reading its httpd.conf file. When you set the location to /dev/null, Apache 
allows you to include the content of this file into the httpd.conf file, and in this manner, you 
have just one file that handles all your configuration parameters for simplicity. 


AccessConfig /dev/null 

This option “AccessConfig’” specifies the location of the old access.conf file that Apache 
read after it finished reading the srm. conf file. As for the above “ResourceConfig” parameter, 
when you set the location to /dev/nul1l1, Apache allows you to include the content of this file 
into its httpd.conf file, and in this manner, you have just one file that handles all your 
configuration parameters for simplicity again. 


Timeout 300 
This option “Timeout” specifies the amount of time Apache will wait fora GET, POST, PUT 
request and ACKs on transmissions. You can safely leave this option on its default values. 
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KeepAlive On 

This option “KeepAlive’” if set to "On" enables persistent connections on the Web Server. For 
better performance, it’s recommended to set this option to “On” and allow more than one request 
per connection. This is a performance feature. 





MaxKeepAliveRequests 0 

This option “MaxKeepAliveRequests” specifies the number of requests allowed per connection 
when the KeepAlive option above is set to “On”. When the value of this option is set to “oO” then 

unlimited requests are allowed on the server. For server performance, it’s recommended to allow 
unlimited requests. This is a performance feature. 





KeepAliveTimeout 15 

This option “KeepAliveTimeout” specifies how much time, in seconds, Apache will wait for a 
subsequent request before closing the connection. The value of “15” seconds is a good average 
for server performance. This is a performance feature. 


MinSpareServers 16 

This option “MinSpareServers” specifies the minimum number of idle child server processes 
for Apache, which is not handling a request. This is an important tuning parameter regarding the 
performance of the Apache Web Server. For high load operation, a value of “16” is 
recommended by various benchmarks on the Internet. This is a performance feature. 


MaxSpareServers 64 

This option “MaxSpareServers’” specifies the maximum number of idle child server processes 
for Apache, which is not handling a request. This is also an important tuning parameter regarding 
the performance of the Apache Web Server. For high load operation, a value of “64” is 
recommended by various benchmarks on the Internet. This is a performance feature. 


StartServers 16 

This option “StartServers” specifies the number of child server processes that will be created 
by Apache on start-up. This is, again, an important tuning parameter regarding the performance 
of the Apache Web Server. For high load operation, a value of “16” is recommended by various 
benchmarks on the Internet. This is a performance feature. 


MaxClients 512 

This option “MaxClients” specifies the number of simultaneous requests that can be supported 
by Apache. This is an important tuning parameter regarding the performance of the Apache Web 
Server. For high load operation, a value of “512” is recommended by various benchmarks on the 
Internet. This is a performance feature. 


MaxRequestsPerChild 100000 

This option “MaxRequestsPerChild’ specifies the number of requests that an individual child 
server process will handle. This is an important tuning parameter regarding the performance of 
the Apache Web Server. This is a performance feature. 


User www 

This option “User” specifies the UID that Apache daemon will run as. It’s important to create a 
new user that has minimal access to the system, and functions just for the purpose of running the 
Web Server daemon. Using a different UID that already exists on the system (i.e. nobody) can 
allow your services to access each other’s resources. In our example, we use the Apache user 
we have created previously which is named “www”. 
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Group www 

This option “Group” specifies the GID the Apache daemon will run as. It’s important to create a 
new group that has minimal access to the system and functions just for the purpose of running 
the Web Server daemon. In our example, we use the Apache group we have created previously 
which is named “www”. 


<Directory /> 
Options None 
AllowOverride None 
Order deny, allow 
Deny from all 
</Directory> 
This block of options allows running a really tight ship by stopping users overriding system wide 
settings. This is because the default Apache access for <Directory />iS Allow from All, 
and this means that it will serve any file mapped from an URL. For this reason it is highly 
recommended that you change this block such as the one we have configured and then override 
this for directories you want accessible. This is a security feature. 





DirectoryIndex index.htm index.html index.php index.php3 index.shtml 
This option “DirectoryIndex” specifies the files to use by Apache as a pre-written HTML 
directory index. In other words, if Apache can’t find the default index page to display, it'll try the 
next entry in this parameter, if available. To improve performance of the Web Server it’s 
recommended to list the most used default index pages of your web site first and not to include 
too much. This is a performance feature. 


<IfModule mod_include.c> 

Include conf/mmap.conf 

</IfModule> 

This option “Include” specifies the location of other files that you can include from within the 
server configuration files httpd.conf. In our case, we include the mmap.conf file located under 
/etc/httpd/conft directory. This file mmap.conf maps files into memory for faster serving. 
See the section on “Optimizing Apache” in this chapter for more information. This is a 
performance feature. 


HostnameLookups Off 

This option “HostnameLookups’ if set to “Off” specifies the disabling of DNS lookups. It’s 
recommended to set this option to “off” in order to save the network traffic time, and to improve 
the performance of your Apache Web Server. This is a performance feature. 








NOTE: If your httpd.conf file contains many <VirtualHost> sections that are substantially 
the same, then | recommend you to read the Apache "Dynamically configured mass virtual 
hosting" document, which describes how to efficiently serve an arbitrary number of virtual hosts. 
This is an online documentation, which can be retrieved from the Apache website at the following 


URL: http://httpd.apache.org/docs/vhosts/mass.html. 
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/etc/logrotate.d/httpd: The Apache Log rotation File 

The /etc/logrotate.d/httpd file allows the Web Server to rotate each week all Apache log 
files automatically. The text in bold are the parts of the configuration file that must be customized 
and adjusted to satisfy our needs. 


e Create the httpd file (touch /etc/logrotate.d/httpd) and add the following lines: 


/var/log/httpd/access_log { 
missingok 
postrotate 
/usr/bin/killall -HUP httpd 
endscript 


} 


/var/log/httpd/error_log { 
missingok 
postrotate 
/usr/bin/killall -HUP httpd 
endscript 


} 


/var/log/httpd/ssl_request_log { 
missingok 
postrotate 
/usr/bin/killall -HUP httpd 
endscript 


} 


/var/log/httpd/ssl_engine_log { 
missingok 
postrotate 
/usr/bin/killall -HUP httpd 
endscript 








NOTE: Lines to automatically rotate the SSL log files named ssl1_request_log and 
ssl_engine_log are included in this file. If you intend to run Apache without SSL support, you 
must remove the above lines related to SSL. 





/etc/re.d/init.d/httpd: The Apache Initialization File 

The /etc/rc.d/init.d/httpd script file is responsible to automatically start and stop the 
Apache daemon on your server. Loading the httpd daemon, as a standalone daemon will 
eliminate load time and will even reduce swapping since non-library code will be shared. 


Step 1 
Create the httpd script file (touch /etc/rce.d/init.d/httpd) and add the following lines: 


!/bin/sh 


Startup script for the Apache Web Server 





chkconfig: 345 85 15 

description: Apache is a World Wide Web server. It is used to serve \ 
HTML files and CGI. 

processname: httpd 








732 





Apache} 2 
CHAPTER |9 


pidfile: /var/run/httpd.pid 
config: /etc/httpd/conf/httpd.conf 


Source function library. 
/etc/re.d/init.d/functions 








Ss how we were called. 
case "S1" in 
start) 
echo -n "Starting httpd: " 
daemon httpd -DSSL 
echo 
touch /var/lock/subsys/httpd 
a 
stop) 
echo -n "Shutting down http: " 
killproc httpd 
echo 
rm -f /var/lock/subsys/httpd 
rm -f /var/run/httpd.pid 
a 
status) 
status httpd 
i? 
restart) 
$0 stop 
$0 start 
a 
reload) 
echo -n "Reloading httpd: " 
killproc httpd -HUP 
echo 





a 
*) 
echo "Usage: $0 {start|stop|restart|reload|status}" 
exit 1 
esac 


exit 0 


Step 2 

Once the httpd script file has been created, it is important to make it executable, change its 
default permissions, create the necessary links and start it. Making this file executable will allow 
the system to run it, changing its default permission is to allow only the root user to change this 
file for security reason, and creation of the symbolic links will let the process control initialization 
of Linux which is in charge of starting all the normal and authorized processes that need to run at 
boot time on your system to start the program automatically for you at each reboot. 


e To make this script executable and to change its default permissions, use the command: 
root@deep / chmod 700 /etc/re.d/init.d/httpd 
root@deep / chown 0.0 /etc/re.d/init.d/httpd 


e Tocreate the symbolic rc.d links for Apache, use the following command: 
root@deep / chkconfig --add httpd 
root@deep / chkconfig --level 345 httpd on 


e Tostart Apache software manually, use the following command: 
root@deep / /etc/re.d/init.d/httpd start 
Starting httpd: [OK] 
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WARNING: The “-DSSL” option that we added by default in the initialization file above will start 
Apache in SSL mode. If you want to start it in regular mode, remove the “-DSSL” option near the 
line that reads “daemon httpd” in the Apache initialization file. 


NOTE: All the configuration files required for each software described in this book has been 
provided by us as a gzipped file, floppy-—2.0.tgz for your convenience. This can be 
downloaded from this web address: ftp://ftp.openna.com/ConfigFiles-v2.0/floppy-2.0.tgz. You can 
unpack this to any location on your local machine, say for example /var/tmp, assuming you 
have done this your directory structure will be /var/tmp/floppy-2.0. Within this floppy 
directory each configuration file has its own directory for respective software. You can either cut 
and paste this directly if you are faithfully following our instructions from the beginning or 
manually edit these to modify to your needs. This facility is there though as a convenience but 
please don't forget ultimately it will be your responsibility to check, verify, etc. before you use 
them whether modified or as it is. 





Enable PHP4 server-side scripting language with the Web Server 

If you intend to use PHP4 server-side scripting language support with your Apache Web Server 
don’t forget to include in your /etc/httpd/conf/httpd.conf file the following lines to enable 
this feature: 


Step 1 
Edit the httpd.conf file (vi /etc/httpd/conf/httpd.conf), and add or uncomment the 
following lines between the section tags <IfModule mod_mime.c> and </IfModule>. 


AddType application/x-httpd-php .php 
AddType application/x-httpd-php .php3 
AddType application/x-httpd-php-source .phps 








Step 2 

Once the above lines have been included or uncommented into the httpd.conf file of Apache 
to enable PHP4 feature with your Web Server, you must restart the Apache for the changes to 
take effect. 


e Torestart Apache, use the following command: 
[root@deep /]# /etc/re.d/init.d/httpd restart 
Shutting down http: [OK] 

Starting httpd: [OK] 


Step 3 

After that the Web Server has been restarted, we must test the new PHP 4 feature to be sure it’s 
working. We'll create a small PHP file named php. php in our DocumentRoot, and then point our 
web browser to this PHP document to see if PHP 4 work on the server. 


e Create the php. php file in your DocumentRoot (touch 
/home/httpd/openna/php.php) and add the following line in the PHP file: 


<?php phpinfo() ?> 
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NOTE: This line will inform PHP 4 program to display various pieces of information about the 
configuration of our Linux Web Server. 





Step 4 
Now, point your web browser to the following address: http://my.domain.com/php.php 


The <my.domain.com> is the address where your Apache Web Server lives, and <php. php> 
is the PHP document we have created above to display the information and configuration of our 
Linux Web Server with PHP4 features enable. 





If you see something like the above page appearing in your web browser... congratulations! Your 
PHP module is working. 


Securing Apache 

This section deals especially with actions we can make to improve and tighten security under 
Apache. The interesting points here are that we refer to the features available within the base 
installed program and not to any additional software. 
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Change some important permissions on files and directories for your Web Server 
When you install Apache, there are some files and directories that have too much permission set 
by default. The binary program httpd can be set to be read-only by the super-user “root”, and 
executable by the owner, group, and others for better security. The /etc/httpd/conf and 
/var/log/httpd directories don’t need to be readable, writable or executable by other people. 


[root@deep /]# chmod 511 /usr/sbin/httpd 
[root@deep /]# chmod 700 /etc/httpd/conf/ 
[root@deep /]# chmod 700 /var/log/httpd/ 


Automatic indexing 

If you have enabled the automatic indexing of directories in your Apache configuration file, 
(IndexOptions in httpd.conf), then you'll have a security issue since any requests for a 
directory that don't find an index file will build an index of what is in the directory. In many cases, 
you may only want people seeing files that you specifically link to. To turn this off, you need to 
remove read permissions from the DocumentRoot directory (but not the files inside it). 


[root@deep /]# cd /home/httpd/ 
[root@deep httpd]# chmod 311 openna 
[root@deep httpd]# ls -la 


d-wx--xX--xX 13 webadmin webadmin 1024 Jul 28 08:12 openna 


Now, with this modification, any requests for this protected directory should return an error 
message like: 


Forbidden 
You don't have permission to access “/openna/” on this server. 








NOTE: “openna’” is the DocumentRoot (the directory out of which you will serve the documents). 
In our configuration file example (httpd.conf) the IndexOptions directive is not used, 
therefore we don’t need to apply this security feature. 





Immunize important configuration file like httpd.conf 

As we already know, the immutable bit can be used to prevent deletion, overwriting or creation of 
a symbolic link to a file. Once the httpd.conf file has been configured, it’s a good idea to 
immunize it with the following command: 


[root@deep /]# chattr +i /etc/httpd/conf/httpd.conf 


Create the . dbmpasswd password file for users authentication 

This step is necessary only if you think that you'll use an access file authentication system for 
your web site. Access file authentication is used when you are in the need to protect some part of 
your web site with a user password. With Apache, a lot of options exist to protect your site with 
usernames and passwords. 
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Step 1 

The dbmmanage program utility, which comes by default with Apache, can be used to create and 
update usernames and passwords of HTTP users. This method use a DBM format files that is the 
fastest mechanism when you have thousands users to manage in your password file. First of all, 
it’s important to change the permission of this program to be (0750/-rwxr-x-—--), writable only 
by the super-user “root”, readable and executable by group and nothing for the others. 


e Tochange the permissions on the dbmmanage program, use the following command: 
[root@deep /]# chmod 750 /usr/bin/dbmmanage 


Step 2 
Once the permission has been set to this program, we can create the DBM format file with 
username and password. 


e Tocreate a username and password, use the following command: 
[root@deep /]# /usr/bin/dbmmanage /etc/httpd/dbmpasswd adduser gmourani 
New password: 
Re-type new password: 
User gmourani added with password encrypted to dtkTL83yvMbFO using crypt 


Where </etc/httpd/> is the location where we want to create and handle this password file, 
<dbmpasswd> is the name we give to the password file, and <gmourani> is the name of the 
user we want to add in our dbmpasswd file. 








NOTE: Every user that we would like to add to the dbmpasswd file doesn’t need to be a real user 
on the system. | mean that it is not necessary to have them in the /etc/passwd file. 





Step 3 

If you use the dbmmanage utility of Apache Web Server to create passwords and usernames, 
don’t forget to include in your /etc/httpd/conf/httpd.conf configuration file the part of 
your web site you need to protect with user password authentication. 


e Edit the httpd.conf file (vi /etc/httpd/conf/httpd.conf) and add the following 
lines to protect the “private” directory of your web site (in our example: openna) with 
user password authentication: 


<Directory "/home/httpd/openna/private"> 
Options None 
AllowOverride AuthConfig 
AuthName "Restricted Section" 
AuthType Basic 
AuthDBUserFile /etc/httpd/dbmpasswd 
require valid-user 

</Directory> 





The path </home/httpd/openna/private> specifies the directory we want to protect with a 
password and username, the </etc/httpd/dbmpasswd> specifies the location of the DBM 
password file. 
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WARNING: To add the DB password authentication module to your Apache Web Server, you must 
be sure to include it during the configuration time of Apache with the following parameter “—— 
add-module=src/modules/standard/mod_auth_db.c”. See your Apache documentation 


for more information. 








Step 4 
Once the above lines have been included into the httpd.conf file of Apache to enable users 


password authentication feature, you must restart Apache for the changes to take effect. 


e To restart Apache, use the following command: 
[root@deep /]# /etc/re.d/init.d/httpd restart 
Shutting down http: [OK] 

Starting httpd: [OK] 


Step 5 
Finally, we must test the new protected directory named private. 


To verify that it works, points your web browser to the following address: 


http://my.domain.com/private/. The <my.domain.com> is the address where your Apache Web 
Server lives and </private/> is the directory protected with user password authentication. 
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Optimizing Apache 

This section deals especially with actions we can make to improve and tighten performance of 
Apache. Take a note that we refer to the features available within the base installed Linux system 
as well aS Apache program and additional software. 


The mod_mmap_ static module of Apache 

There is a special module with the Apache distribution called mod_mmap_static that can by 
used to improve the performance of your Web Server. This module works by providing mappings 
of a statically configured list of frequently requested, but not changed, files in your RootDirectory. 
Therefore, if files displayed by Apache don’t change often, you can use this useful module to 
memory-map the static documents and increase the speed of your Web Server. This means 
visitors to your sites get faster download times. 


It’s important to note that the mod_mmap_ static module of Apache must be enabled during the 
configuration and compilation time of Apache before you can use it. If you have follow what were 
described in the previous configuration and compilation time section, this is already in Apache (- 
-add-module-../mod_mmap_static.c). 


Step 1 

The magical command to map all files under a Root Directory to a specific text file of your 
choice is shown below. Once again, this Apache module is only useful when you have a static 
web site, | mean by static, a web site where contents do not change often. 


e To memory-map static documents, use the following command: 
[root@deep /]# find /home/httpd/openna -type f£ -print | sed -e 
's/.*/mmapfile &/' > /etc/httpd/conf/mmap.conf 


The </home/httpd/openna> is the RootDirectory, or to be more precise, the directory out 
of which you will serve your documents, and the </etc/httpd/conf/mmap.conf> is the 
location where we want to create this file, mmap. conf, that contains a static memory-map of all 
documents under our RootDirectory. 








WARNING: If you add or update contents into your site, don’t forget to reuse this command line 
again and restart you Web Server for the changes to take effect. 





Step 2 

Once the mmap.conf file has been create under the location where we have chosen to keep this 
file, we must include it in the httpd.conf file of Apache to be able to use its interesting features 
on our Web Server. 


e §6Edit the httpd.conf file (vi /etc/httpd/conf/httpd.conf) and add or 
uncomment the following lines: 


<IfModule mod_include.c> 


Include conf/mmap.conf 
</IfModule> 
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NOTE: See your Apache documentation for more information about the use of 
mod_mmap_static. Remember that this feature must be used only when you serve documents 
that don’t change often on your web site. 





Step 3 
Finally, the last step to do is to restart the Apache Web Server for the changes to take effect: 


e To restart Apache, use the following command: 
[root@deep /]# /etc/re.d/init.d/httpd restart 
Shutting down http: [OK] 

Starting httpd: [OK] 


The Zend Optimizer for PHP4 server-side scripting language 

This section applies only if you chose to install and use PHP4 with Apache in your system. The 
Zend Optimizer is a small program located in the PHP4 Zend engine between the Zend run- 
time compiler and the executor that run as plugging with PHP 4. 


When used with PHP4, an application that uses the Zend Optimizer typically executes another 
40% to 100% faster. If you intended to use this free program, you can download it from the Zend 
website and place its library file into your system after expanding the archive. 


These installation instructions assume 

Commands are Unix-compatible. 

The source path is /var/tmp (note that other paths are possible, as personal discretion). 
Installations were tested on Red Hat 7.1. 

All steps in the installation will happen using the super-user account “root”. 

Latest Zend Optimizer version number is 1.1.0 


Packages 
The following are based on information as listed by Zend as of 2001/06/05. Please regularly 
check at http:/Awww.zend.com/ for the latest status. 


Source codes are available from: 

Zend Homepage: http://www.zend.com/ 

You must be sure to download: ZendOptimizer-1.1.0-PHP_4.0.5-Linux_glibc21- 
1386.tar.gz 


Step 1 
Once you get the program from the main software site you must copy it to the /var/tmp 
directory and change to this location before expanding the archive. 


e These procedures can be accomplished with the following commands: 
[root@deep /]# cp ZendOptimizer—version-i386.tar.gz /var/tmp/ 
[root@deep /]# cd /var/tmp/ 

[root@deep tmp]# tar xzpf ZendOptimizer-version-i386.tar.gz 
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Step 2 
After that, move into the newly created Zend directory and copy the file called 
ZendOptimizer.so under /usr/1lib directory. 


e Tocopy the ZendOptimizer.so file to your /usr/1ib directory use the commands: 
[root@deep tmp]# cd ZendOptimizer-1.1.0-PHP_4.0.5-Linux_glibc21-i386 
[root@deep ZendOptimizer-1.1.0...]# ep ZendOptimizer.so /usr/lib/ 


Step 3 
Now, edit your php.ini file (vi /etc/httpd/php.ini) and add the following two lines. 





zend_optimizer.optimization_level=15 
zend_extension="/usr/lib/ZendOptimizer.so" 





Step 4 
Finally, you must restart the Apache Web Server for the changes to take effect: 


e Torestart Apache, use the following command: 
[root@deep /]# /etc/re.d/init.d/httpd restart 
Shutting down http: [OK] 

Starting httpd: [OK] 


Step 5 
Now, to verify if the Zend Optimizer is running use the php. php file that we have created 
previously by pointing your web browser to the following address: http://my.domain.com/php.php 


The <my.domain.com> is the address where your Apache Web Server lives, and <php. php> 
is the PHP document we have created earlier to display the information and configuration of our 
Linux Web Server with PHP4 support. 


The part of the output where the Zend Optimizer is listed will look something like this: 
This program makes use of the Zend scripting language engine: 
Zend Engine v1.0.5, Copyright (c) 1998-2001 Zend Technologies 
with Zend Optimizer v1.1.0, Copyright (c) 1998-2000, by Zend Technologies 








The atime and noatime attributes 

The atime and noatime attributes of Linux can be used to get measurable performance gains 
with Apache. See the chapter related to “General System Optimization” in this book for more 
information on the subject. 


The ulimit parameter 

The ulimit parameter of Linux that provide control over the resources available to the shell and 
to processes started by it can be used with its “—n” option to tune the maximum number of open 
file descriptors that may be used by a process with Apache. As for the atime and noatime 
attributes above, you can go to the related chapter in this book, “General System Optimization’, 
for more information on the subject. 
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Running Apache in a chroot jail 

This part focuses on preventing Apache from being used as a point of break-in to the system 
hosting it. Apache by default runs as a non-root user, which will limit any damage to what can 
be done as a normal user with a local shell. Of course, allowing what amounts to an anonymous 
guest account falls rather short of the security requirements for most Apache servers, so an 
additional step can be taken - that is, running Apache in a chroot jail. 


The main benefit of a chroot jail is that the jail will limit the portion of the file system the daemon 
can see to the root directory of the jail. Additionally, since the jail only needs to support Apache, 
the programs available in the jail can be extremely limited. Most importantly, there is no need for 
setuid-root programs (remember that Perl uSe SUID), which can be used to gain root access 
and break out of the jail. By running Apache in a chroot environment you can improve the 
security significantly in a Unix environment. 


Apache in chroot jail 





Our chroot jail that host a Wed 
Server and owned by the user "wwv/ 





Our file system on Linux 


This is our chroot jail bubble, which handle a small copy of our 
Linux file system structure for Apache 
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Chrooting Apache is not an easy task and has a tendency to break things. Before we embark on 
this, we need to first decide whether it is beneficial for you to do so. Some pros and cons are, but 
most certainly not limited to, the following: 


Pros: 


v¥ If Apache is ever compromised, the attacker will not have access to the entire Linux file 
system. 


¥ Poorly written CGI scripts that may allow someone to access your server will not work. 
Cons: 
v_ There are extra libraries you'll need to have in the chroot jail for Apache to work. 


v_ If you use any Perl/CGI features with Apache, you will need to copy the needed 
binaries, Per1 libraries and files to the appropriate spot within the chroot space. The 
same applies for SSL, PHP, and other third-party programs. 


Necessary steps to run Apache with mod_ss1 and PHP4 in a chroot jail: 
The chrooted configuration listed below supposes that you’ve compiled the Apache server with 
the external programs mod_ss1 and PHP4 only. The differences in what you’ve compiled with 
Apache reside in which libraries and binaries program you'll need to copy to the chrooted 
directory. 


Remember that if you’ve compiled Apache to use mod_perl, you must copy all the related 
binaries and Per] libraries to the chrooted directory. Per1 resides by default in 
/usr/1lib/perl15 and in case you use Per 1 features, copy the Per1 directory and its 
subdirectories to /chroot/httpd/usr/lib/per15. Personally | don’t recommend to running 
Apache with Perl support in chroot jail. You can add these interpreters back in, but you lose 
some of the benefits of chroot. 


Step 1 

Add a new UID and a new GID ff this is not already done for running Apache httpd daemon. 
This is important because running it as root defeats the purpose of the jail, and using a different 
UID that already exists on the system (i.e. nobody) can allow your services to access each 
others' resources. 


Consider the scenario where a webserver is running as nobody, or any other overly used 
UID/GID and compromised. The cracker can now access any other processes running as 
nobody from within the chroot. 


These are sample UID/GIDs. Check the /etc/passwd and /etc/group files for a free 
UID/GID number. In our configuration we'll use the numeric value “80” and UID/GID “www”. 


e Tocreate the Apache user, use the following command: 
[root@deep /]# useradd -c “Apache Server” -u 80 -s /bin/false -r -d 
/home/httpd www 2>/dev/null || : 


The above commands will create the group “www” with the numerical GID value 80, and the user 
“www” with the numerical UID value 80. 
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Step 2 
Once the Apache user has been created, it is time to set up the chroot environment. First we 
need to create the chrooted Apache structure. We use /chroot/httpd for the chrooted 





Apache. The /chroot/httpd is just a directory on a different partition where we've decided to 
put Apache for more control and security. 

root@deep / /etc/re.d/init.d/httpd stop € Only if Apache daemon already run. 

Shutting down http: [OK] 

root@deep / mkdir /chroot/httpd 

root@deep / mkdir /chroot/httpd/dev 

root@deep / mkdir /chroot/httpd/lib 

root@deep / mkdir /chroot/httpd/etc 

root@deep / mkdir /chroot/httpd/home 

root@deep / mkdir /chroot/httpd/tmp 

root@deep / chmod 777 /chroot/httpd/tmp/ 

root@deep / chmod +t /chroot/httpd/tmp/ 

root@deep / mkdir -p /chroot/httpd/usr/sbin 

root@deep / mkdir -p /chroot/httpd/var/run 

root@deep / mkdir -p /chroot/httpd/var/log 











We need all of the above directories because, from the point of the chroot, we're sitting at “/” and 
anything above this directory is inaccessible. Note that /chroot/httpd/tmp is required only if 
you use mod_ss1 with Apache. 


Step 3 

After that, move the main configuration directory and all configuration files of Apache, the 
DocumentRoot directory and the httpd binary program of the Web Server to the chroot jail then 
create the special devices /dev/null and /dev/urandom which is/are require by the system to 
work properly. Note that /dev/urandom is requiring only if you use mod_ss1l. 


[root@deep /]# mv /etc/httpd /chroot/httpd/etc/ 

[root@deep /]# mv /home/httpd /chroot/httpd/home/ 

[root@deep /]# mv /var/log/httpd /chroot/httpd/var/log/ 

[root@deep /]# mv /usr/sbin/httpd /chroot/httpd/usr/sbin/ 

[root@deep /]# mknod /chroot/httpd/dev/null c 1 3 

[root@deep /]# chmod 666 /chroot/httpd/dev/null 

[root@deep /]# mknod /chroot/httpd/dev/urandom c 1 9 € Only for mod_ss1 support 


Step 4 

This step is requiring only if you have compiled Apache with mod_ss1 support. In this case, 
recreate a small copy of the /usr/share/ss1 directory with certs, crl and private 
directories which handles all private and public keys to the chroot jail environment. 


e These procedures can be accomplished with the following commands: 
[root@deep /]# mkdir -p /chroot/httpd/usr/share/ssl 
[root@deep /]# cp -r /usr/share/ssl/certs /chroot/httpd/usr/share/ss1/ 
[root @deep cp -r /usr/share/ssl/private /chroot/httpd/usr/share/ssl/ 
[root@deep cp -r /usr/share/ssl/crl /chroot/httpd/usr/share/ss1/ 








WARNING: If you have other private and public keys related to other programs and applications 
into the certs and private directories, please don’t copy them to the jail environment. Only 
copy the private and public keys related to Apache. 
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Step 5 

This step is required only if you have compiled Apache with PHP4 support. In this case, move all 
of the following directories and PHP4 binaries files to the chroot jail environment and change all 
default permission modes of PHP4 binaries as execute-only for security reason. 


e These procedures can be accomplished with the following commands: 














root@deep / mkdir /chroot/httpd/usr/include 

root@deep / mkdir /chroot/httpd/usr/1lib 

root@deep / mkdir /chroot/httpd/usr/bin 

root@deep / mv /usr/include/php /chroot/httpd/usr/include/ 
root@deep / mv /usr/lib/ZendOptimizer.so /chroot/httpd/usr/lib/ 
root@deep / mv /usr/lib/php /chroot/httpd/usr/1lib/ 
root@deep / mv /usr/bin/phpextdist /chroot/httpd/usr/bin/ 
root@deep / mv /usr/bin/phpize /chroot/httpd/usr/bin/ 
root@deep / mv /usr/bin/php-config /chroot/httpd/usr/bin/ 
root@deep / mv /usr/bin/pear /chroot/httpd/usr/bin/ 
root@deep / chmod 111 /chroot/httpd/usr/bin/* 


Step 6 

Now, we must find the shared library dependencies of httpd binary and install them into the 
chroot directory structure. Use the ldd /chroot/httpd/usr/sbin/httpd command to find 
out which libraries are needed. The output (depending on what you’ve compiled with Apache) will 
be something similar to: 


e To find the shared library dependencies of httpd, execute the following command: 


root@deep /]# 1ldd /chroot/httpd/usr/sbin/httpd 


libpam.so.0 => /lib/libpam.so.0 
libdl.so.2 => /lib/libdl.so.2 
libz.so.1 => /usr/lib/libz.so.1 
libpng.so.2 => /usr/lib/libpng. 
libgd.so.1.8 => /usr/lib/libgd. 


libresolv.so.2 => /lib/libresolv.so.2 


(0x4001b000) 
0x40023000) 
(0x40026000) 
so.2 (0x40034000) 
so.1.8 (0x40055000) 
(0x40086000) 


libm.so.6 => /lib/libm.so.6 
libcrypt.so.1 => /lib/libcrypt. 
libnsl.so.1 => /lib/libnsl.so.1 (0x400e6000) 
libc.so.6 => /lib/libc.so.6 (0x400fd000) 

libttf.so.2 => /usr/lib/libttf.so.2 (0x40223000) 
libjpeg.so.62 => /usr/lib/libjpeg.so.62 (0x4024a000) 
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) 


(0x40099000) 
so.1 (0x400b9000) 








What we can see here is the fact that depending of what programs have been compiled and 
included with Apache, the shared library dependencies may change. If you make attention to the 
above dependencies, you will see for example that libz.so.1, libpng.so.2, 
libgd.so.1.8, libttf.so.2, and libjpeg.so. 62 files which have been compiled during 
the PHP4 configuration time are require in the chroot jail for the Web Server to work properly. 


Therefore it is always important and vital to execute the 1dd command to find which libraries are 
require depending of programs you may have compiled and included with your Web Server. 
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Step 7 
Once the required libraries have been identified, copy them to the appropriate location into the 
chroot jail. In our example these are the shared libraries identified above. 











root@deep / cp /1lib/libpam.so.0 /chroot/httpd/1lib/ 
root@deep / cp /lib/libdl.so.2 /chroot/httpd/1lib/ 

root@deep / cp /usr/lib/libz.so.1 /chroot/httpd/usr/1lib/ 
root@deep / cp /usr/lib/libpng.so.2 /chroot/httpd/usr/1lib/ 
root@deep / cp /usr/1lib/libgd.so.1.8 /chroot/httpd/usr/lib/ 
root@deep / cp /lib/libresolv.so.2 /chroot/httpd/lib/ 
root@deep / cp /lib/libm.so.6 /chroot/httpd/lib/ 

root@deep / cp /lib/libcrypt.so.1 /chroot/httpd/1lib/ 
root@deep / cp /1lib/libnsl.so.1 /chroot/httpd/1lib/ 
root@deep / cp /lib/libc.so.6 /chroot/httpd/lib/ 

root@deep / cp /usr/lib/libttf.so.2 /chroot/httpd/usr/1lib/ 
root@deep / cp /usr/lib/libjpeg.so.62 /chroot/httpd/usr/lib/ 
root@deep / cp /1lib/ld-linux.so.2 /chroot/httpd/1lib/ 
root@deep / strip -R .comment /chroot/httpd/usr/lib/* 





You'll also need the following extra libraries for some network functions, like resolving: 


[root@deep /]# cp /1lib/libnss_compat* /chroot/httpd/lib/ 
[root@deep /]# cp /lib/libnss_dns* /chroot/httpd/1lib/ 
[root@deep /]# cp /lib/libnss_files* /chroot/httpd/1lib/ 
[root@deep /]# strip -R .comment /chroot/httpd/lib/* 








NOTE: The “strip -R .comment” command will remove all the named section “. comment” 
from the libraries files under the /1ib directory and will make them smaller in size and can help 
in performance of them. 





Step 8 

Now we need to copy the passwd and group files inside the /chroot/httpd/etc chrooted 
directory. Next, we’ll remove all entries except for the user that Apache runs as in both files 
(passwd and group). 


[root@deep /]# cp /etc/passwd /chroot/httpd/etc/ 
[root@deep /]# cp /etc/group /chroot/httpd/etc/ 


e Edit the passwd file under the chroot jail (vi /chroot/httpd/etc/passwd) and 
delete all entries except for the user Apache run as (in our configuration, it’s “www’”): 





www:x:80:80:Apache Server:/home/httpd:/bin/false 
e Edit the group file under the chroot jail (vi /chroot/httpd/etc/group) and delete 


all entries except the group Apache run as (in our configuration it’s “www”): 


www:x:80: 
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Step 9 
You will also need /etc/resolv.conf, /etc/nsswitch.conf, /etc/localtime, and 
/etc/hosts files in your chroot jail structure. 


[root@deep /]# cp /etc/resolv.conf /chroot/httpd/etc/ 
[root@deep /]# cp /etc/nsswitch.conf /chroot/httpd/etc/ 
[root@deep /]# cp /etc/localtime /chroot/httpd/etc/ 
[root@deep /]# cp /etc/hosts /chroot/httpd/etc/ 


Step 10 
Now we must set some files in the chroot jail directory immutable for better security. 


e These procedures can be accomplished with the following commands: 
[root@deep /]# ed /chroot/httpd/etc/ 
[root@deep etc]# chattr +i passwd 
[root@deep etc]# chattr +i group 
[root@deep etc]# chattr +i /httpd/conf/httpd.conf 
[root@deep etc]# chattr +i resolv.conf 
[root@deep etc]# chattr +i hosts 
[root@deep etc]# chattr +i nsswitch.conf 








WARNING: Don’t forget to remove the immutable bit on these files if you have some modifications 
to apport to them with the command “chattr -i”. 





Step 11 

One of the last steps to do is to inform the syslogd daemon about the new Apache chrooted 
service. Normally, processes talk to syslogd through /dev/1log. As a result of the chroot jail, 
this won't be possible, so program syslogd needs to be told to listen to the 
/chroot/httpd/dev/log. To do this, edit the syslog startup script to specify additional 
places to listen. 


e Edit the syslog script (vi +24 /etc/rc.d/init.d/syslog) and change the line: 
daemon syslogd -m 0 


To read: 


daemon syslogd -m 0 -a /chroot/httpd/dev/log 


Step 12 
The default httpd script file of Apache starts the daemon “httpd” outside the chroot jail. We 
must change it to now start httpd from the chroot jail. 

e Edit the httpd script file (vi /etc/rc.d/init.d/httpd) and change the lines: 


daemon httpd —DSSL 


To read: 


/usr/sbin/chroot /chroot/httpd/ /usr/sbin/httpd -DSSL 
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Finally, we must test the new chrooted jail configuration of our Apache Web Server. 


rm -f /var/run/httpd.pid 


To read: 


rm -£ /chroot/httpd/var/run/httpd.pid 
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The first thing to do is to restart our syslogd daemon with the following command: 


[root@deep /]# /etc/re.d/init.d/syslog restart 


Shutting down kernel logger: 
Shutting down system logger: 
Starting system logger: 
Starting kernel logger: 


Now, start the new chrooted jail Apache with the following command: 
[root@deep /]# /etc/re.d/init.d/httpd start 
Starting httpd: 


If you don't get any errors,do aps ax | grep httpdand see if we're running: 


[root@deep /]# ps ax | 


14373 
14376 
14377 
14378 
14379 
14380 
14381 
14382 
14383 
14384 
14385 
14386 
14387 
14388 
14389 
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14391 
14397 
14476 
14477 
14478 
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g 
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700 


> 








OOOO: CO OO... © Ol1O:..©O:O'7O:. @::O*O:-Ouc 


he 
ht 
ht 
ht 
ht 
ht 
ht 
ht 
ht 
ht 
ht 
ht 
ht 
ht 
ht 
ht 
ht 
ht 
ht 
ht 
ht 
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rep httpd 
tpd — 
tpd 


pd 
pd 
pd 
pd 
pd 
pd 
pd 
pd 
pd 
pd 
pd 
pd 
pd 
pd 
pd 
pd 
pd 
pd 
pd 





DSSL 
DSSL 
DSSL 
DSSL 
DSSL 
DSSL 
DSSL 
DSSL 
DSSL 
DSSL 
DSSL 
DSSL 
DSSL 
DSSL 
DSSL 
DSSL 
DSSL 
DSSL 
DSSL 
DSSL 
DSSL 





If so, lets check to make sure it's chrooted by picking out one of its process numbers and doing 
ls -la /proc/that_process_number/root/. 


[root@deep /]# 1s -la /proc/14373/root/ 


If you see something like the following, congratulations! Your Apache with mod_ss1 and PHP4 in 


chroot jail is working. 


dev 
eLc 
home 
lib 
tmp 
usr 
var 
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/etc/logrotate.d/httpd: The New Apache Log Rotation File 

With all modifications for running Apache in chroot jail, the Apache logs files resides now in the 
/chroot/httpd/var/log/httpd directory instead of /var/log/httpd, and for this reason 
we need to modify the existing /etc/logrotate.d/httpd file to point to the new chrooted 
directory. Also, because we’ve compiled Apache with mod_ss1, we'll add one more line to permit 
the logrotate program to rotate the ssl_request_log and ssl_engine_log files. 





Configure your /etc/logrotate.d/httpd file to rotate your log files each week automatically. 
We must change the default one to fit our requirements and operating system. The text in bold 
are the parts of the configuration file that must be customized and adjusted to satisfy our needs. 


Edit the httpd file (vi /etc/logrotate.d/httpd) and add or modify: 


/chroot/httpd/var/log/httpd/access_log { 


missingok 
postrotate 


/usr/bin/killall -HUP /chroot/httpd/usr/sbin/httpd 


endscript 


} 


/chroot/httpd/var/log/httpd/error_log { 


missingok 
postrotate 


/usr/bin/killall -HUP /chroot/httpd/usr/sbin/httpd 


endscript 


} 


/chroot/httpd/var/log/httpd/ssl_request_log { 


missingok 
postrotate 


/usr/bin/killall -HUP /chroot/httpd/usr/sbin/httpd 


endscript 


} 


/chroot/httpd/var/log/httpd/ssl_engine_log { 


missingok 
postrotate 


/usr/bin/killall -HUP /chroot/httpd/usr/sbin/httpd 


endscript 


List of installed Apache files on your system 


> /etc/rc.d/init.d/httpd 

> /etc/logrotate.d/httpd 

> /etc/httpd 

> /etc/httpd/cont 

> /etc/httpd/conf/httpd.conf.default 
> /etc/httpd/conf/httpd.conf 

> /etc/httpd/conf/mime.types 

> /etc/httpd/conf/magic 

> /etc/httpd/php. ini 

> /home/httpd 

> /home/httpd/cgi-bin 

> /usr/bin/htpasswd 

> /usr/bin/htdigest 

> /usr/bin/dobmmanage 

> /usr/include/apache 

> /usr/include/apache/xml 

> /usr/include/apache/xml/asciitab.h 


> /usr/include/apache/buff.h 

> /usr/include/apache/compat.h 

> /usr/include/apache/conf.h 

> /usr/include/apache/explain.h 

> /usr/include/apache/fnmatch.h 

> /usr/include/apache/hsregex.h 

> /usr/include/apache/http_conf_globals.h 
> /usr/include/apache/http_config.h 

> /usr/include/apache/http_core.h 

> /usr/include/apache/httpd.h 

> /usr/include/apache/http_log.h 

> /usr/include/apache/http_main.h 

> /usr/include/apache/http_protocol.h 
> /usr/include/apache/http_request.h 
> /ust/include/apache/http_vhost.h 

> /usr/include/apache/multithread.h 
> /usr/include/apache/rfc1413.h 
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> /usr/include/apache/xml/hashtable.h 
> /usr/include/apache/xml/iasciitab.h 
> /usr/include/apache/xml/latinitab.h 
> /usr/include/apache/xml/nametab.h 
> /usr/include/apache/xml/utf8tab.h 

> /usr/include/apache/xml/xmldef.h 

> /usr/include/apache/xml/xmlparse.h 
> /usr/include/apache/xml/xmlrole.h 

> /usr/include/apache/xml/xmltok.h 

> /ust/include/apache/xml/xmltok_impl.h 
> /usr/include/apache/ap_alloc.h 

> /usr/include/apache/ap_compat.h 

> /usr/include/apache/ap_config_auto.h 
> /usr/include/apache/ap_config.h 

> /usr/include/apache/ap_ctx.h 

> /usr/include/apache/ap_ctype.h 

> /usr/include/apache/ap.h 

> /usr/include/apache/ap_hook.h 

> /usr/include/apache/ap_md5.h 

> /usr/include/apache/ap_mm.h 

> /usr/include/apache/ap_mmn.h 

> /usr/include/apache/ap_sha1.h 
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> /usr/include/apache/scoreboard.h 
> /usr/include/apache/util_date.h 

> /usr/include/apache/util_md5.h 

> /usr/include/apache/util_script.h 

> /usr/include/apache/util_uri.h 

> /usr/include/apache/os.h 

> /usr/include/apache/os-inline.c 

> /usr/lib/apache 

> /usr/sbin/httpd 

> /usr/sbin/ab 

> /ust/sbin/logresolve 

> /usr/sbin/rotatelogs 

> /usr/sbin/apxs 

> /usr/share/man/man1/htpasswd. 1 
> /ust/share/man/man1/htdigest.1 

> /usr/share/man/man1/dbmmanage. 1 
> /usr/share/man/manég/httpd.8 

> /usr/share/man/man8/ab.8 

> /usr/share/man/man8/logresolve.8 
> /usr/share/man/man8/rotatelogs.8 
> /usr/share/man/man8/apxs.8 

> /var/log/httpd 


List of installed PHP4 files on your system 


> /usr/bin/phpextdist 

> /usr/bin/phpize 

> /usr/bin/php-config 

> /usr/bin/pear 

> /usr/include/php 

> /usr/include/php/Zend 

> /usr/include/php/Zend/acconfig.h 

> /usr/include/php/Zend/FlexLexer.h 

> /usr/include/php/Zend/modules.h 

> /usr/include/php/Zend/zend_alloc.h 

> /usr/include/php/Zend/zend_API.h 

> /usr/include/php/Zend/zend_builtin_functions.h 
> /usr/include/php/Zend/zend_compile.h 

> /usr/include/php/Zend/zend_config.h 

> /usr/include/php/Zend/zend_config.w32.h 

> /usr/include/php/Zend/zend_constants.h 

> /usr/include/php/Zend/zend_dynamic_array.h 
> /usr/include/php/Zend/zend_errors.h 

> /usr/include/php/Zend/zend_execute.h 

> /usr/include/php/Zend/zend_execute_locks.h 
> /usr/include/php/Zend/zend_extensions.h 

> /usr/include/php/Zend/zend_fast_cache.h 

> /usr/include/php/Zend/zend_globals.h 

> /usr/include/php/Zend/zend_globals_macros.h 
> /usr/include/php/Zend/zend.h 

> /usr/include/php/Zend/zend_hash.h 

> /usr/include/php/Zend/zend_highlight.h 

> /usr/include/php/Zend/zend_indent.h 

> /usr/include/php/Zend/zend_list.h 

> /usr/include/php/Zend/zend_llist.h 

> /usr/include/php/Zend/zend_operators.h 

> /usr/include/php/Zend/zend-parser.h 

> /ust/include/php/Zend/zend_ptr_stack.h 

> /usr/include/php/Zend/zend-scanner.h 

> /usr/include/php/Zend/zend_stack.h 

> /usr/include/php/Zend/zend_static_allocator.h 
> /usr/include/php/Zend/zend_variables.h 

> /usr/include/php/TSRM 

> /usr/include/php/TSRM/acconfig.h 

> /usr/include/php/TSRM/readdir.h 

> /usr/include/php/TSRM/tsrm_config_common.h 
> /usr/include/php/TSRM/tsrm_config.h 

> /usr/include/php/TSRM/tsrm_config.w32.h 


> /usr/include/php/ext/xml/expat/xmlparse/expat_hashtable.h 
> /ust/include/php/ext/xml/expat/xmlparse/xmlparse.h 
> /usr/include/php/ext/xml/expat/xmltok 

> /ust/include/php/ext/xml/expat/xmltok/asciitab.h 

> /usr/include/php/ext/xml/expat/xmltok/iasciitab.h 
> /usr/include/php/ext/xml/expat/xmltok/latin1 tab.h 
> /usr/include/php/ext/xml/expat/xmltok/nametab.h 
> /usr/include/php/ext/xml/expat/xmltok/utf8tab.h 

> /usr/include/php/ext/xml/expat/xmltok/xmldef.h 

> /usr/include/php/ext/xml/expat/xmltok/xmlrole.h 

> /usr/include/php/ext/xml/expat/xmltok/xmltok.h 

> /usr/include/php/ext/xml/expat/xmltok/xmltok_impl.h 
> /usr/include/php/ext/xml/php_xml.h 

> /usr/include/php/main 

> /usr/include/php/main/configuration-parser.h 

> /usr/include/php/main/config.w32.h 

> /usr/include/php/main/fdfdata.h 

> /usr/include/php/main/fopen-wrappers.h 

> /usr/include/php/main/internal_functions_registry.h 
> /usr/include/php/main/logos.h 

> /usr/include/php/main/php3_compat.h 

> /usr/include/php/main/php_compat.h 

> /usr/include/php/main/php_content_types.h 

> /usr/include/php/main/php_globals.h 

> /usr/include/php/main/php.h 

> /usr/include/php/main/php_ini.h 

> /usr/include/php/main/php_main.h 

> /ust/include/php/main/php_network.h 

> /usr/include/php/main/php_open_temporary_file.h 
> /usr/include/php/main/php_reentrancy.h 

> /ust/include/php/main/php_regex.h 

> /ust/include/php/main/php_syslog.h 

> /ust/include/php/main/php_ticks.h 

> /usr/include/php/main/php_variables.h 

> /usr/include/php/main/php_version.h 

> /usr/include/php/main/rfc1 867.h 

> /usr/include/php/main/safe_mode.h 

> /usr/include/php/main/SAPI.h 

> /usr/include/php/main/snprintf.h 

> /usr/include/php/main/win95nt.h 

> /usr/include/php/regex 

> /usr/include/php/regex/cclass.h 

> /usr/include/php/regex/cname.h 
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> /usr/include/php/TSRM/TSRM.h 

> /usr/include/php/TSRM/tsrm_strtok_r.h 

> /usr/include/php/TSRM/tsrm_virtual_cwd.h 

> /usr/include/php/ext 

> /usr/include/php/ext/standard 

> /usr/include/php/ext/standard/base64.h 

> /usr/include/php/ext/standard/basic_functions.h 
> /usr/include/php/ext/standard/cyr_convert.h 

> /usr/include/php/ext/standard/datetime.h 

> /usr/include/php/ext/standard/dl.h 

> /usr/include/php/ext/standard/dns.h 

> /usr/include/php/ext/standard/exec.h 

> /usr/include/php/ext/standard/file.h 

> /usr/include/php/ext/standard/flock_compat.h 
> /usr/include/php/ext/standard/fsock.h 

> /usr/include/php/ext/standard/head.h 

> /usr/include/php/ext/standard/html.h 

> /usr/include/php/ext/standard/info.h 

> /usr/include/php/ext/standard/md5.h 

> /usr/include/php/ext/standard/microtime.h 

> /usr/include/php/ext/standard/pack.h 

> /usr/include/php/ext/standard/pageinfo.h 

> /usr/include/php/ext/standard/php_array.h 

> /usr/include/php/ext/standard/php_assert.h 

> /usr/include/php/ext/standard/php_browscap.h 
> /ust/include/php/ext/standard/php_crypt.h 

> /usr/include/php/ext/standard/php_dir.h 

> /usr/include/php/ext/standard/php_ext_syslog.h 
> /usr/include/php/ext/standard/php_filestat.h 

> /ust/include/php/ext/standard/php_image.h 

> /usr/include/php/ext/standard/php_incomplete_class.h 
> /usr/include/php/ext/standard/php_iptc.h 

> /ust/include/php/ext/standard/php_lIcg.h 

> /ust/include/php/ext/standard/php_link.h 

> /usr/include/php/ext/standard/php_mail.h 

> /usr/include/php/ext/standard/php_math.h 

> /usr/include/php/ext/standard/php_metaphone.h 
> /usr/include/php/ext/standard/php_output.h 

> /usr/include/php/ext/standard/php_parsedate.h 
> /usr/include/php/ext/standard/php_rand.h 

> /usr/include/php/ext/standard/php_smart_str.h 
> /usr/include/php/ext/standard/php_standard.h 
> /usr/include/php/ext/standard/php_string.h 

> /usr/include/php/ext/standard/php_var.h 

> /usr/include/php/ext/standard/quot_print.h 

> /usr/include/php/ext/standard/reg.h 

> /usr/include/php/ext/standard/scanf.h 

> /usr/include/php/ext/standard/type.h 

> /usr/include/php/ext/standard/uniqid.h 

> /usr/include/php/ext/standard/url.h 

> /usr/include/php/ext/standard/url_scanner_ex.h 
> /usr/include/php/ext/standard/url_scanner.h 

> /usr/include/php/ext/xml 

> /usr/include/php/ext/xml/expat 

> /ust/include/php/ext/xml/expat/xmlparse 
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> /usr/include/php/regex/regex2.h 

> /usr/include/php/regex/regex_extra.h 
> /usr/include/php/regex/regex.h 

> /usr/include/php/regex/utils.h 

> /usr/include/php/acconfig.h 

> /usr/include/php/build-defs.h 

> /usr/include/php/php_config.h 

> /usr/include/php/php_version.h 

> /usr/lib/php 

> /usr/lib/php/extensions 

> /usr/lib/php/extensions/no-debug-non-zts-20000809 
> /usr/lib/php/Benchmark 

> /usr/lib/php/Benchmark/Iterate.php 
> /usr/lib/php/Benchmark/Timer.php 
> /usr/lib/php/DB 

> /usr/lib/php/DB/common.php 

> /usr/lib/php/DB/ibase.php 

> /usr/lib/php/DB/msaql.php 

> /usr/lib/php/DB/mssql.php 

> /usr/lib/php/DB/mysal.php 

> /usr/lib/php/DB/oci8.php 

> /usr/lib/php/DB/odbc.php 

> /usr/lib/php/DB/pgsql.php 

> /usr/lib/php/DB/storage.php 

> /usr/lib/php/DB/sybase.php 

> /usr/lib/php/File 

> /usr/lib/php/File/Find.php 

> /usr/lib/php/File/SearchReplace.php 
> /usr/lib/php/HTML 

> /usr/lib/php/HTML/Form.php 

> /usr/lib/php/Net 

> /usr/lib/php/Net/Socket.php 

> /usr/lib/php/Payment 

> /usr/lib/php/Payment/Verisign.php 
> /usr/lib/php/PEAR 

> /usr/lib/php/PEAR/Installer.php 

> /usr/lib/php/XML 

> /usr/lib/php/XML/Parser.php 

> /usr/lib/php/build 

> /usr/lib/php/build/pear.m4 

> /usr/lib/php/build/fastgen.sh 

> /usr/lib/php/build/library.mk 

> /usr/lib/php/build/Itlib.mk 

> /usr/lib/php/build/mkdep.awk 

> /usr/lib/php/build/program.mk 

> /usr/lib/php/build/rules.mk 

> /usr/lib/php/build/rules_common.mk 
> /usr/lib/php/build/rules_pear.mk 

> /usr/lib/php/build/dynlib.mk 

> /usr/lib/php/build/shtool 

> /usr/lib/php/build/dynlib.m4 

> /usr/lib/php/build/acinclude.m4 

> /usr/lib/php/DB.php 

> /usr/lib/php/HTTP.php 

> /usr/lib/php/PEAR.php 


List of installed mod_per1 files on your system 


> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache 


> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/mod_perl.exp 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/typemap 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/Symbol 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/Symbol/Symbol.so 
> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/Symbol/Symbol.bs 


> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/Leak 


> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/Leak/Leak.so 
> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/Leak/Leak.bs 
> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include 
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> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/support 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/support/suexec.h 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/regex 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/regex/cclass.h 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/regex/utils.h 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/regex/regex2.h 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/regex/cname.h 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/lib 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/lib/expat-lite 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/lib/expat-lite/xmlparse.h 
> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/lib/expat-lite/utf8tab.h 
> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/lib/expat-lite/xmltok_impl.h 
> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/lib/expat-lite/latin1 tab.h 
> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/lib/expat-lite/hashtable.h 
> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/lib/expat-lite/xmlrole.h 
> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/lib/expat-lite/nametab.h 
> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/lib/expat-lite/xmltok.h 
> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/lib/expat-lite/asciitab.h 
> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/lib/expat-lite/xmldef.h 
> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/lib/expat-lite/iasciitab.h 
> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/lib/sdbm 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/lib/sdbm/sdbm_tune.h 
> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/lib/sdbm/sdbm_pair.h 
> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/lib/sdbm/sdbm.h 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/include 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/include/ap_config.h 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/include/http_config.h 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/include/util_date.h 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/include/compat.h 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/include/ap_mmn.h 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/include/util_script.h 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/include/ap_md5.h 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/include/ap_ctype.h 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/include/http_conf_globals.h 
> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/include/httpd.h 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/include/http_main.h 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/include/http_log.h 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/include/ap_sha1.h 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/include/explain.h 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/include/rfc1413.h 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/include/http_protocol.h 
> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/include/http_request.h 
> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/include/ap_hook.h 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/include/http_core.h 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/include/multithread.h 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/include/http_vhost.h 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/include/buff.h 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/include/ap_mm.h 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/include/ap_ctx.h 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/include/ap_alloc.h 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/include/scoreboard.h 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/include/ap.h 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/include/ap_compat.h 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/include/hsregex.h 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/include/ap_config_auto.h 
> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/include/fnmatch.h 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/include/util_uri.h 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/include/util_md5.h 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/include/conf.h 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/os 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/os/unix 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/os/unix/os-inline.c 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/os/unix/os.h 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/os/tpf 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/os/tpf/os.h 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/os/tpf/ebcdic.h 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/os/tpf/os-inline.c 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/os/os390 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/os/os390/ebcdic.h 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/os/os390/os.h 
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> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/os/os390/os-inline.c 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/os/win32 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/os/win32/service.h 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/os/win32/resource.h 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/os/win32/getopt.h 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/os/win32/os.h 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/os/win32/readdir.h 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/os/win32/passwd.h 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/os/win32/registry.h 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/os/win32/installer 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/os/win32/installer/installdll 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/os/win32/installer/installdll/test 
> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/os/win32/installer/installdll/test/test.h 
> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/os/win32/installer/installdll/test/resource.h 
> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/os/netware 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/os/netware/os.h 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/os/netware/precomp.h 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/os/netware/test_char.h 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/os/netware/uri_delims.h 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/os/netware/getopt.h 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/os/os2 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/os/os2/os.h 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/os/os2/os-inline.c 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/os/mpeix 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/os/mpeix/os.h 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/os/mpeix/os-inline.c 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/os/bs2000 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/os/bs2000/ebcdic.h 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/os/bs2000/os.h 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/os/bs2000/os-inline.c 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/modules 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/modules/php4 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/modules/php4/mod_php4.h 
> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/modules/proxy 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/modules/proxy/mod_proxy.h 
> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/modules/perl 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/modules/perl/mod_perl_xs.h 
> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/modules/perl/apache_inc.h 
> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/modules/perl/mod_perl_version.h 
> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/modules/perl/perl_PL.h 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/modules/perl/mod_perl.h 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/modules/standard 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/modules/standard/mod_rewrite.h 
> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/modules/ssl 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/modules/ssl/ssl_expr.h 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/modules/ssl/ssl_expr_parse.h 
> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/modules/ssl/ssl_util_sdbm.h 
> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/modules/ssl/ssl_util_table.h 
> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/modules/ssl/mod_ssl.h 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/Apache/include/modules/ssl/ssl_util_ssl.h 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/mod_perl 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/mod_perl/.packlist 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/mod_perl.pod 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/mod_perl_hooks.pm.PL 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/mod_perl.pm 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/mod_perl_cvs.pod 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/mod_perl_method_handlers.pod 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/mod_perl_tuning.pod 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/mod_perl_traps.pod 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/mod_perl_hooks.pm 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/cgi_to_mod_perl.pod 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/Apache.pm 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/Bundle 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/Bundle/Apache.pm 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/Apache 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/Apache/Registry.pm 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/Apache/PerlSections.pm 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/Apache/PerlRun.pm 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/Apache/Debug.pm 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/Apache/src.pm 
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> /usr/lib/perl5/site_perl/5.6.0/i386-linux/Apache/RedirectLogFix.pm 
> /usr/lib/perl5/site_perl/5.6.0/i386-linux/Apache/Include.pm 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/Apache/FakeRequest.pm 
> /usr/lib/perl5/site_perl/5.6.0/i386-linux/Apache/Options.pm 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/Apache/RegistryLoader.pm 
> /usr/lib/perl5/site_perl/5.6.0/i386-linux/Apache/MyConfig.pm 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/Apache/ExtUtils.pm 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/Apache/Symdump.pm 
> /usr/lib/perl5/site_perl/5.6.0/i386-linux/Apache/Status.pm 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/Apache/StatINC.pm 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/Apache/RegistryBB.pm 
> /usr/lib/perl5/site_perl/5.6.0/i386-linux/Apache/test.pm 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/Apache/SizeLimit.pm 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/Apache/Resource.pm 
> /usr/lib/perl5/site_perl/5.6.0/i386-linux/Apache/RegistryNG.pm 
> /usr/lib/perl5/site_perl/5.6.0/i386-linux/Apache/httpd_conf.pm 
> /usr/lib/perl5/site_perl/5.6.0/i386-linux/Apache/SIG.pm 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/Apache/Opcode.pm 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/Apache/Connection.pm 
> /usr/lib/perl5/site_perl/5.6.0/i386-linux/Apache/Constants.pm 
> /usr/lib/perl5/site_perl/5.6.0/i386-linux/Apache/File.pm 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/Apache/Leak.pm 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/Apache/Log.pm 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/Apache/ModuleConfig.pm 
> /usr/lib/perl5/site_perl/5.6.0/i386-linux/Apache/PerlRunXS.pm 
> /usr/lib/perl5/site_perl/5.6.0/i386-linux/Apache/Server.pm 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/Apache/Symbol.pm 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/Apache/Table.pm 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/Apache/URI.pm 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/Apache/Util.pm 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/Apache/Constants 

> /usr/lib/perl5/site_perl/5.6.0/i386-linux/Apache/Constants/Exports.pm 
> /ust/share/man/man3/Apache.3pm 

> /usr/share/man/man3/Apache::Constants.3pm 

> /ust/share/man/man3/Apache::File.3pm 

> /ust/share/man/man3/Apache::Leak.3pm 

> /ust/share/man/man3/Apache::Log.3pm 

> /usr/share/man/man3/Apache::PerlRunXS.3pm 

> /usr/share/man/man3/Apache::Symbol.3pm 

> /ust/share/man/man3/Apache::Table.3pm 

> /usr/share/man/man3/Apache::URI.3pm 

> /usr/share/man/man3/Apache::Util.3pm 

> /usr/share/man/man3/mod_perl_cvs.3pm 

> /usr/share/man/man3/Apache::Registry.3pm 

> /usr/share/man/man3/Apache::SizeLimit.3pm 

> /usr/share/man/man3/cgi_to_mod_perl.3pm 

> /usr/share/man/man3/Apache::Resource.3pm 

> /usr/share/man/man3/Apache::PerlSections.3pm 

> /usr/share/man/man3/Apache::PerlRun.3pm 

> /ust/share/man/man3/Apache::Debug.3pm 

> /usr/share/man/man3/Apache::Symdump.3pm 

> /ust/share/man/man3/mod_perl_tuning.3pm 

> /usr/share/man/man3/Apache::Status.3pm 

> /ust/share/man/man3/Apache::RedirectLogFix.3pm 

> /usr/share/man/man3/Apache::ExtUtils.3pm 

> /ust/share/man/man3/mod_perl_method_handlers.3pm 

> /ust/share/man/man3/Apache::Include.3pm 

> /usr/share/man/man3/Apache::StatINC.3pm 

> /ust/share/man/man3/Apache::test.3pm 

> /ust/share/man/man3/Apache::RegistryLoader.3pm 

> /usr/share/man/man3/Apache::httpd_conf.3pm 

> /ust/share/man/man3/Apache::FakeRequest.3pm 

> /ust/share/man/man3/mod_perl.3pm 

> /ust/share/man/man3/Apache::src.3pm 

> /ust/share/man/man3/mod_perl_traps.3pm 

> /usr/share/man/man3/Apache::SIG.3pm 

> /usr/share/man/man3/Bundle::Apache.3pm 

> /usr/share/man/man3/Apache::Options.3pm 


Apache} 2 
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30 Other Server - Samba File Sharing Server 
In this Chapter 


Recommended RPM packages to be installed for a Samba Server 
Compiling - Optimizing & Installing Samba 

Configuring Samba 

Running Samba with SSL support 

Securing Samba 

Optimizing Samba 

Samba Administrative Tools 

Samba Users Tools 


755 


Samba|3 
CHAPTER |0 


Linux Samba File Sharing Server 


Abstract 

Enterprise-level organizations often handle many kinds of different operating systems, and have 
the need to keep them in a networked environment for files sharing and printers. Employees may 
work on workstations like Linux, Microsoft Windows 95/98/2000/NT, OS/2 or Novel, and still need 
to access the server in their daily work. A Linux server with Samba support can be used to 
respond for these kinds of activities. 


Samba is a strong network service for file and print sharing that works on the majority of operating 
systems available today. When well implemented by the administrator, it’s faster and more secure 
than the native file sharing services available on Microsoft Windows machines. 





As explained in the README file of Samba: 

Samba is the protocol by which a lot of PC-related machines share files and printers, and other 
information, such as lists of available files and printers. Operating systems that support this 
natively include Windows 95/98/2000/NT, OS/2, and Linux, and add on packages that achieve 
the same thing are available for DOS, Windows, VMS, Unix of all kinds, MVS, and more. 











Apple Macs and some Web Browsers can speak this protocol as well. Alternatives to SMB 
include Netware, NFS, AppleTalk, Banyan Vines, Decnet etc; many of these have advantages 
but none are both public specifications and widely implemented in desktop machines by default. 
Samba software includes an SMB server, to provide Windows NT and LAN Manager-style file and 
print services to SMB clients such as Windows 2000, Warp Server, smbfs and others, a Net 
BIOS (rfc1001/1002) name server, which amongst other things gives browsing support, an ftp- 
like SMB client so that you can access PC resources (disks and printers) from Unix, Netware and 
other operating systems, and finally, a tar extension to the client for backing up PCs. 


In this chapter, we will explain and cover some of the basic ways in which you can adjust the 
configuration to improve the server's performance. Also, for the interested users, we'll provide a 
procedure to run Samba with SSL protocol support. Running Samba with SSL support will work 
perfectly for Unix-to-Unix platforms but not for Windows to Unix. This is in particularly due to the 
fact that at this time Microsoft has not reviewed its File Sharing system on Windows. 
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Recommended RPM packages to be installed for a Samba Server 


A minimal configuration provides the basic set of packages required by the Linux operating 
system. Minimal configuration is a perfect starting point for building secure operating system. 
Below is the list of all recommended RPM packages required to run properly your Linux server as 


a File Sharing (Net BIOS) server running on Samba Software. 


This configuration assumes that your kernel is a monolithic kernel. Also | suppose that you will 
install Samba by RPM package. Therefore, samba, samba-common, and samba-client RPM 
packages are already included in the list below as you can see. All security tools are not installed, 
itis yours to install them as your need by RPM packages too since compilers packages are not 


installed and included in the list. 


basesystem 


passwd 
slocate 


bash 
file 
libstdc++ 
popt 
sysklogd 


bdflush 
filesystem 
libtermcap 
procps 
syslinux 





bind 
fileutils 
BIGIE Xo) 
psmisc 
SysVinit 


bzip2 
findutils 
logrotate 
pwdb 

tar 


chkconfig 
gawk 
losetup 
qmail 
termcap 


console-tools 
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gdbm 
MAKEDEV 
quota 
textutils 


cpio 
gettext 
man 
readline 
tmpwatch 


cracklib 
glib 
mingetty 
rootfiles 
utempter 


eCracklib=-dicts 
glibe 

mktemp 

rpm 
util-linux 


crontabs 
glibc-common 
mount 

samba 
vim-common 


db1 

grep 

ncurses 
samba-—common 
vim-minimal 


db2 

grofft 
net-tools 
samba-client 
vixie-cron 


db3 
gzip 
newt 
sed 
words 


dev 
info 
openssh 
setup 
which 


devfsd 
initscripts 
openssh-server 
sh-utils 

zlib 


diffutils 
iptables 
openssl 
shadow-utils 


e2fsprogs 
kernel 
pam 

slang 
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Tested and fully functional on OpenNA.com. 
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These installation instructions assume 

Commands are Unix-compatible. 

The source path is /var/tmp (note that other paths are possible, as personal discretion). 
Installations were tested on Red Hat 7.1. 

All steps in the installation will happen using the super-user account “root”. 

Whether kernel recompilation may be required: No 

Latest Samba version number is 2.2.0 


Packages 
The following are based on information as listed by Samba as of 2001/03/13. Please regularly 
check at www.samba.org for the latest status. 


Source code is available from: 


Samba Homepage: http://us1.samba.org/samba/samba.html 
Samba FTP Sire: 167.216.222.441 


You must be sure to download: samba-2.2.0.tar.gz 


Prerequisites 
Samba requires that the listed software below be already installed on your system to be able to 
compile successfully. If this is not the case, you must install it. 


¥ To enable and use SSL encryption support into the software, OpenSSL library should be 
already installed on your system. 








NOTE: For more information on OpenSSL software, see its related chapter in this book. 





Pristine source 

If you don’t use the RPM package to install this program, it will be difficult for you to locate all 
installed files into the system in the eventuality of an updated in the future. To solve the problem, 
it is a good idea to make a list of files on the system before you install Samba, and one 
afterwards, and then compare them using the diff utility of Linux to find out what files are 
placed where. 


e Simply run the following command before installing the software: 
root@deep /root find /* > Sambal 


e And the following one after you install the software: 
root@deep /root find /* > Samba2 


e Then use the following command to get a list of what changed: 
root@deep /root diff Sambal Samba2 > Samba-Installed 

















With this procedure, if any upgrade appears, all you have to do is to read the generated list of 
what files were added or changed by the program and remove them manually from your system 
before installing the new software. Related to our example above, we use the /root directory of 
the system to stock all generated list files. 
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Compiling - Optimizing & Installing Samba 

Below are the required steps that you must make to compile and optimize the Samba software 
before installing it into your Linux system. First off, we install the program as user 'root' so as to 
avoid authorization problems. 


Step 1 
Once you get the program from the main software site you must copy it to the /var/tmp 
directory and change to this location before expanding the archive. 


e These procedures can be accomplished with the following commands: 
[root@deep /]# cp samba-version.tar.gz /var/tmp/ 
[root@deep /]# cd /var/tmp/ 

[root@deep tmp]# tar xzpf samba-version.tar.gz 


Step 2 
After that, move into the newly created Samba source subdirectory called “source” and perform 
the following steps before configuring and optimizing Samba for your system. 


e To move into the newly created Samba source subdirectory use the command: 
[root@deep tmp]# cd samba-2.2.0/source/ 


Step 3 

There are some source files to modify before going in configuration and compilation of the 
program; the changes allow us to fix some problems. The first modification that we do is to 
relocate the 1ib directory of Samba to be under the /usr/bin directory. 


e Edit the smbsh.in file (vi +3 smbwrapper/smbsh.in) and change the lines: 
SMBW_LIBDIR=S {SMBW_LIBDIR-@builddir@/smbwrapper } 


To read: 


SMBW_LIBDIR=S$ { SMBW_LIBDIR-/usr/bin} 


Step 4 
After that, we must specify that our sbin directory for Samba binaries files will be located into 
/usr/sbin, and that /var directory for Samba log files will be under /var/log/samba. 


e §=©Edit the Makefile.in file (vi +33 Makefile.in) and change the following lines: 


SBINDIR = @bindir®@ 

To read: 

SBINDIR = @sbindir@ 
VARDIR = @localstadir@ 
To read: 

VARDIR = /var/log/samba 
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Step 5 
Here we specify to use the GNU Linux version of the awk text processing utility instead of the Bell 
Labs research version of awk program for the “smbpasswd” file. 


e Edit the convert_smbpasswd file (vi +10 script/convert_smbpasswd) and 
change the line: 





nawk 'BEGIN {FS=":"} 
To read: 
gawk 'BEGIN {FS=":"} 


Step 6 
Here we fix a small bug in the configure. in file below. 


e Edit the configure.in file (vi +239 configure.in) and change the following line: 


# we need libcups for CUPS support... 
AC_CHECK_LIB (cups, httpConnect) 





To read: 


# we need libcups for CUPS support... 
dnl AC_CHECK_LIB(cups, httpConnect) 


Step 7 
Once the required modifications have been made into the related source files of Samba as 
explained previously, it is time configure and optimize it for our system. 


e Toconfigure and optimize Samba use the following compilation lines: 
CFLAGS="—-03 -march=i686 -mcpu=i686 -funroll-loops -fomit-frame-pointer —- 
I/usr/include/openssl1" \ 

./configure \ 

--prefix=/usr \ 
--libdir=/etc/samba \ 
--mandir=/usr/share/man \ 
--with-lockdir=/var/lock/samba \ 
--with-privatedir=/etc/samba \ 
--with-swatdir=/usr/share/swat \ 
--with-sslinc=/usr/include/openssl \ 
--with-ssl \ 

--with-pam \ 

--with-quotas 


This tells Samba to set itself up for this particular configuration setup with: 
- Include SSL support. 


- Include PAM password database support. 
- Include experimental disk-quota support. 
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Step 8 

Now, we must make a list of all existing files on the system before installing the software, and one 
afterwards, then compare them using the dif¢€ utility tool of Linux to find out what files are placed 
where and finally install Samba on the server. 


root@deep source make all 

root@deep source cd 

root@deep /root]# find /* > Sambal 

root@deep /root]# cd /var/tmp/samba-2.2.0/source/ 

root@deep source make install 

root@deep source install -m755 script/mksmbpasswd.sh /usr/bin/ 


root@deep source rm -rf /usr/share/swat/ 
root@deep source rm -f£ /usr/sbin/swat 

root@deep source rm -£ /usr/share/man/man8/swat .8 
root@deep source rm -rf /usr/private 


root@deep source mkdir -m 0755 /var/lock/samba 
root@deep source mkdir -m 1777 /var/spool/samba 
root@deep source chmod 700 /var/log/samba 

root@deep source strip /usr/sbin/smbd 

root@deep source strip /usr/sbin/nmbd 

root@deep source /sbin/ldconfig 

root@deep source cd 

root@deep /root]# find /* > Samba2 

root@deep /root]# diff Sambal Samba2 > Samba-Installed 




















The install command will install the script “mk smbpasswd.sh” under /usr/bin directory. 
This script is needed to setup Samba users allowed to connect on our server via the 
“smbpasswd file. See later in this documentation for how to setup and use Samba password. 


The rm command will remove the /usr/share/swat directory and all the files under it, and it 
will also remove the swat binary program under /usr/sbin. The SWAT program is a web-based 
configuration utility that permits you to configure the smb.conf file of Samba via a web browser 
interface. Of course, in order to use the SWAT utility you will need to have a web server running, 
such as Apache. The SWAT utility can open a security breach on your server and for this reason | 
recommend that you remove and not use it. 


The mkdir -m 1777 command will create a /var/spool/samba directory on your system for 
all print sharing jobs you may have. Of course this directory is only necessary if you intend to use 
Samba print sharing over your LAN. Pay special attention to this command since it will set the 
“sticky” bit in /var/spool/samba so only the file's owner can delete a given file in this directory. 


Step 9 

Once configuration, optimization, compilation, and installation of the Samba Server software have 
been accomplished, we can free up some disk space by deleting the program tar archive and the 
related source directory since they are no longer needed. 


e Todelete Samba and its related source directory, use the following commands: 
[root@deep /]# cd /var/tmp/ 
[root@deep tmp]# rm -rf samba-version/ 
[root@deep tmp]# rm -£ samba-version.tgz 


The rm command as used above will remove all the source files we have used to compile and 
install Samba. It will also remove the Samba compressed archive from the /var/tmp directory. 
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Configuring Samba 

After Samba has been built and installed successfully in your system, your next step is to create, 
configure and customize all options and parameters in the different Samba configuration files. The 
different Samba configuration files to set up are: 


¥  /etc/samba/smb.conf (The Samba Configuration File) 

¥ /etc/samba/1lmhosts (The Samba Net BIOS Mapping File) 

¥ /etc/sysconfig/samba (The Samba System Configuration File) 
¥  /etc/pam.d/samba (The Samba PAM Support Configuration File) 
¥ /etc/logrotate.d/samba (The Samba Log Rotation File) 

¥ /etc/re.d/init.d/smb (The Samba Initialization File) 


/etc/samba/smb.conf: The Samba Configuration File 

The /etc/samba/smb.conf file is the main configuration file for the Samba suite and contains 
runtime configuration information, in which you can specify directories you want to access from 
Windows clients machines, IP addresses that are authorized to connect, how the File Sharing 
Server must run as, and so on through entries consisting of sections and parameters. 


There are three special sections available with Samba. The first section called [global] 
contains global configuration directives common to all shares and become the defaults for 
sections, which do not specifically define certain items (unless they are over-ridden on a per- 
share basis). 


The second section called [homes] allows services connecting clients to their home directory to 
be created on the fly by the File Sharing Server. This special section can represent any account 
on the machine, which isn’t always desirable. For example, it can potentially create a share for 
root, bin, sys, and the like users. Therefore to eliminate this potential risk we must set an 
invalid users option in the [homes] section to protect against this. 


The last section called [printers] works like the [homes] section but for printers. It allows 
users to connect to any printer specified in the configuration file. 


A lot of options exist, and it’s important to read the documentation that comes with Samba for 
more information on each of different settings and parameters available. 


The following configuration example is a full working configuration file for Samba with encrypted 
password support. Also, it’s important to note that | comment in this Samba configuration only 
parameters that relate to security and optimization, and leave all others to your own research. 


In the example below, | have created just one directory called [tmp], and have allowed only 
class C machine IP address ranges to connect on the Samba server to this directory. Therefore 
don’t forget to add your own directories from which you want your client machines to connect. 
The text in bold are the parts of the configuration file that must be customized and adjusted to 
satisfy your needs. 
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e Create the smb.conf file (touch /etc/samba/smb.conf) and add the following 
parameters: 


[global] 


workgroup = OPENNA 

server string = OpenNA Samba Server 

encrypt passwords = True 

security = user 

smb passwd file = /etc/samba/smbpasswd 

log file = /var/log/samba/log.%m 

max log size = 0 

socket options = IPTOS_LOWDELAY TCP_NODELAY 
deadtime = 15 

getwd cache = Yes 

lpq cache time = 45 

domain master = Yes 

local master = Yes 

preferred master = Yes 

os level = 65 

dns proxy = Yes 

wins support = Yes 

name resolve order = wins lmhosts host bcast 
bind interfaces only = True 

interfaces = ethO 192.168.1.1/24 127.0.0.1 
hosts deny = ALL 

hosts allow 192.168.1. 207.35.78. 127.0.0.1 
debug level 1 

create mask 0644 

directory mask = 0755 

oplocks = True 

level2 oplocks = True 

read raw = No 

write cache size = 262144 


[homes ] 

comment = Home Directories 

browseable = No 

read only = Yes 

invalid users = root bin daemon sync nobody sys tty disk mem kmem 
[printers] 

comment = Remote Printers 

path = /var/spool/samba 

browseable = No 

printable = Yes 

invalid users = root bin daemon sync nobody sys tty disk mem kmem 
[tmp] 


comment = Temporary File Space 

path = /tmp 

read only = No 

valid users = smbadmin 

invalid users = root bin daemon sync nobody sys tty disk mem kmem 


This tells smb . conf file to set itself up for this particular configuration setup with: 
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[global] 





workgroup = OPENNA 

This parameter “workgroup” specifies the workgroup your server will appear to be in when 
queried by clients. It’s important to have the same workgroup name on both clients and servers 
machines. Therefore don’t forget to set the same workgroup name in the client part from which 
you want to connect to the server. 


server string = OpenNA Samba Server 

This parameter “server string” specifies the string that you wish to show to your users in the 
printer comment box in print manager, or to the IPC connection when using the "net view" 
command under Windows machines. It can be any string that you wish to show to your users. 


encrypt passwords = True 

This parameter “encrypt passwords’ if set to “True” instructs Samba to use encrypted 
passwords instead of plain text password when negotiating with the client. Sniffer program will not 
be able to detect your password when it is encrypted. This option always must be set to “True” 
for security reasons. This is a security feature. 


security = user 

This parameter “security’, if set to “user”, specifies that a client must first "log-on" with a valid 
username and password, or the connection will be refused. This means that a valid username 
and password for the client must exist in your /etc/passwd file on the Linux server and in the 
/etc/smbpasswd file of the Samba server, or the connection from the client will fail. See 
“Securing Samba’ in this chapter for more information about the “smbpasswd?” file. This 
parameter is one of the most important settings in the smb.conf file. This is a security feature. 


smb passwd file = /etc/samba/smbpasswd 

This parameter “smb passwd file” specifies the path to the encrypted “smbpasswd” file. The 
“smbpasswd file is a copy of the /etc/passwd file of the Linux system containing valid 
usernames and passwords of clients allowed to connect to the Samba server. The Samba 
software reads this file (smbpasswd) when a connection is requested. 


log file = /var/log/samba/log.%m 

This parameter “log file” specifies the locations and names of Samba log files. With the name 
extension “%m’, it allows you to have separate log files for each different user or machine that logs 
on your Samba server. 


socket options = IPTOS_LOWDELAY TCP_NODELAY 

This parameter “socket options” specifies parameters that you can include in your smb. conf 
configuration file to tune and improve your Samba server for optimal performance. By default we 
chose to tune the connection for a local network, and improve the performance of the Samba 
server for transferring files. This is a performance feature. 








deadtime = 15 

This parameter “deadtime” specifies the number of minutes to wait for client inactivity before 
considering that the connection is dead, and close it. A deadt ime of zero (the default setting) 
indicates that no auto-disconnection should be performed. Using this parameter with a timeout of 
a few minutes is recommended for better performance of the systems. This is a performance 
feature. 
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getwd cache = Yes 
This parameter “getwd cache’ if set to “Yes” specifies to reduce the time taken for get wd () 
calls by using a caching algorithm. This is a performance feature. 


lpq cache time = 45 

This parameter “lpq cache time” specifies how long 1pq info will be cached on memory to 
prevent the 1pq command being called too often. A large value is recommended when your lpg 
command is very slow on the system. This is a performance feature. 


domain master = Yes 

This parameter “domain master” specifies to set “nmbd”, which is the Net BIOS name server 
daemon, as a domain master browser for its given workgroup and enable WAN-wide browse list 
collation. This option usually must be set to “yes” only on ONE Samba server for all OTHER 
Samba servers on the same network and workgroup. 


local master = Yes 

This parameter “local master” allows “nmbd’, which is the Net BIOS name server daemon, to 
try to become a local master browser on a subnet. Like the above, usually this option must be set 
to “Yes” only on ONE Samba server that acts as a local master on a subnet for all the OTHER 
Samba servers on your network. Setting this parameter to “Yes” doesn’t guaranty that Samba will 
become the local master browser on a subnet, it just ensure that Samba will participate in 
elections for local master browser. Use it in conjunction with parameters “domain master”, and 
“oreferred master”. 


preferred master = Yes 

This parameter “preferred master” specifies and controls if “nmbd” is a preferred master 
browser for its workgroup. Once again, this must usually be set to “yes” on ONE server for all the 
others on your network. Use it in conjunction with parameters “domain master”, and “local 
master”. 


os level = 65 

This parameter “os level” specifies by its integer value whether “nmbd” has a chance of 
becoming a local master browser for the Workgroup in the local broadcast area. The number 65 
will win against any NT Server. If you have an NT Server on your network, and want to set your 
Linux Samba server to be a local master browser for the Workgroup in the local broadcast area 
then you must set the “os level” option to 65. Also, this option must be set only on ONE Linux 
Samba server, and must be disabled on all other Linux Samba servers you may have on your 
network. Use it in conjunction with parameters “domain master”, “local master”, and 
“oreferred master”. 


dns proxy = Yes 

This parameter “dns proxy” if set to “Yes” specifies that “nmbd” when acting as a WINS server 
and finding that a Net BIOS name has not been registered, should treat the Net BIOS name 
word-for-word as a DNS name and do a lookup with the DNS server for that name on behalf of the 
name-querying client. Configuring the Samba server to act as a WINS server is a good thing for its 
performance. | recommend to use your Samba server that runs with parameters “domain 
master’, “local master”, “preferred master’, and “os level” set to “Yes” with this 


option “dns proxy” set to “Yes” too for better performance of your system. 
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wins support = Yes 

This parameter “wins support” if set to “Yes” specifies that “nmbd” on the system will act as a 
WINS server. For better performance, it is recommended to set at least one Samba server in your 
network to be a WINS server. Note that you should NEVER set this to "yes" on more than one 
machine in your network. It is a good idea to set your Samba server that runs with parameters 


“domain master’, “local master”, “preferred master”,and“os level” set to “Yes” to 
become the WINS server on the network (as we do here). 





name resolve order = wins lmhosts host bcast 

This parameter “name resolve order” specifies what naming services to use in order to 
resolve host names to IP addresses, and in what order. The parameters we chose cause the 
local “Imhosts’” file of samba to be examined first, followed by the rest. This is a performance 
feature. 





bind interfaces only = True 

This parameter “bind interfaces only” if set to “True”, allows you to limit what interfaces 
on the server will serve “SMB” requests. This is a security feature. The configuration parameter 
“interfaces” below completes this option. 


interfaces = ethO 192.168.1.1/24 127.0.0.1 

This parameter “interfaces” allows you to override the default network interface list that Samba 
will use for browsing, name registration and other NBT traffic. By default, Samba will query the 
kernel for the list of all active interfaces and use any interface that it will find. With the above 
option, Samba will only listen on interface “et ho” on the IP addresses 192.168.1.1/24 and 
127.0.0.1. This is a security feature, and completes the above configuration parameter “bind 
interfaces only”. Please note that if the network address 127.0.0.1 is not added to the 
"interfaces" parameter list then smbpasswd will fail to connect in it's default mode since we 
use the "bind interfaces only" parameter in conjunction with the "interfaces" parameter 
here. Therefore don't forget to add 127.0.0.1 to the "interfaces" parameter list above. 


hosts deny = ALL 

This parameter “hosts deny” specifies the list of hosts that are NOT permitted access to Samba 
services unless the specific services have their own lists to override this one. For simplicity, we 
deny access to all hosts by default, and allow specific hosts in the “hosts allow” parameter list 
as shown below. This is a security feature. 


hosts allow = 192.168.1. 207.35.78. 127.0.0.1 

This parameter “hosts allow” specifies which hosts are permitted to access a Samba service. 
In our example we allow by default all hosts from IP class C 192.168.1.*, 207.35.78.* and 
our localhost 127.0.0.1 to access the Samba server. Note that the localhost must always be 
set or you will receive some error messages. This is a security feature. 


debug level = 1 

This parameter “debug level” allows the logging level to be specified in the “smb . conf” file. If 
you set the debug level higher than 2 then you may suffer a large drop in performance. This is 
because the server flushes the log file after each operation, which can be very expensive. This is 
a performance feature. 


create mask = 0644 

This parameter “create mask” specifies and sets the necessary permissions according to the 
mapping from DOS modes to UNIX permissions. With this option set to 0644, all files copying or 
creating from a Windows system to the Unix system will have a permission of 0644 by default. 
This is a security feature. 
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directory mask = 0755 

This parameter “directory mask” specifies and set the octal modes, which are used when 
converting DOS modes to UNIX modes when creating UNIX directories. With this option set to 
0755, all directories copying or creating from a Windows system to the Unix system will have a 
permission of 0755 by default. This is a security feature. 


oplocks = True 

This parameter “oplocks”, tells smbd whether to issue oplocks (opportunistic locks) to file 
open requests. The oplock code can dramatically improve the speed of access to files on 
Samba servers and it is recommended to set this option to “True”. This is a performance feature. 


level2 oplocks = True 

This parameter “level2 oplocks’, if set to “True’, will increase the performance for many 
accesses of files that are not commonly written (such as . EXE application files). It is important for 
the "oplocks" (opportunistic locks) parameter to be set to "True" on this share in order for the 
"level2 oplocks " parameter to have any effect. This is a performance feature. 














read raw = No 

This parameter “read raw” controls whether or not the server will support the raw read SMB 
requests when transferring data to clients. Note that memory mapping is not used by the "read 
raw" operation. Thus, you may find memory mapping is more effective if you disable "read raw" 
using "read raw = No", like we do. This is a performance feature. 





write cache size = 262144 

This parameter “write cache size” allows Samba to improve performance on systems where 
the disk subsystem is a bottleneck. The value of this option is specified in bytes, and a size of 
262,144 represents a 256k-cache size per file. It is to yours to set this parameter adequately 
related to the size of files that you hope to share with your server. If the majority of sharing files 
are between 512K in size, you could set the parameter to “524288”. This is a performance 
feature. 


[tmp] 


comment = Temporary File Space 

This parameter “comment” allows you to specify a comment that will appear next to a share when 
a client does queries to the server either via the network neighborhood or via "net view" to list 
what shares are available. 


path = /tmp 
This parameter “path” specifies a directory to which the user of the service is to be given access. 
In our example this is the “tmp” directory of the Linux server. 


read only = No 

This parameter “read only” specifies if users should be allowed to only read files or not. In our 
example, since this is a configuration for the “tmp” directory of the Linux server, users can do 
more than just read files. 


valid users = smbadmin 


This parameter “valid users” specifies a list of users that should be allowed to login to this 
service. In our example only the user “smbadmin” is allowed to access the service. 
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invalid users = root bin daemon sync nobody sys tty disk mem kmem 

This parameter “invalid users” specifies a list of users that should not be allowed to login to 
this service. This is really a "paranoid" check to ensure an improper setting does not breach your 
security. It is recommended that you include all default users that run daemons on the server. 
This is a security feature. 


/etc/samba/1lmhosts: The Samba Net BIOS Mapping File 

The “Imhosts’” file is the Samba Net BIOS name to IP address mapping file. It is very similar to 
the /etc/hosts file format, except that the hostname component must correspond to the Net 
BIOS naming format. The text in bold are the parts of the script initialization file that must be 
customized and adjusted to satisfy your needs. 


e Create the lmhosts file (touch /etc/samba/lmhosts) and add the following lines: 


# Sample Samba lmhosts file. 
# 

T2720 ,0 4,1 localhost 
192.168.1.30 stationl 
192.168.1.31 station2 


In our example, this file contains three TP to Net BIOS name mappings. The localhost 
(127.0.0.1), which is always require, the client machine called stationl (192.168.1.30) 
and another client machine called station2 (192.168.1.31). 


/etc/sysconfig/samba: The Samba System Configuration File 
The /etc/sysconfig/samba file is used to specify Samba system configuration information, 
such as if additional options are required to be passed to smbd and nmbd daemons at startup. 


e Create the samba file (touch /etc/sysconfig/samba) and add the following lines: 


# Options to smbd 
SMBDOPTIONS="—-D" 
# Options to nmbd 
NMBDOPTIONS="—-D" 





The “SMBDOPTIONS” and “NMBDOPTIONS” parameters with the “—D” options instructs samba 
server to operate as a daemon on the system. These values must be specified in this file since by 
default, the server will NOT operate as a daemon. Operating the server as a daemon is the 
recommended way of running Samba in your server. 


/etc/pam.d/samba: The Samba PAM Support Configuration File 
For better security of Samba, we will configure it to use PAM password authentication support. To 
do that, you must create the /etc/pam.d/samba file and add the following parameters inside it. 
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e Create the samba file (touch /etc/pam.d/samba) and add the following lines: 























auth required /lib/security/pam_stack.so service=system-auth 
auth required /lib/security/pam_nologin.so 

account required /lib/security/pam_stack.so service=system-auth 
account required /lib/security/pam_access.so 

account required /lib/security/pam_time.so 

password required /lib/security/pam_stack.so service=system-auth 
session required /lib/security/pam_stack.so service=system-auth 
session required /lib/security/pam_limits.so 

session optional /lib/security/pam_console.so 





/etc/logrotate.d/samba: The Samba Log Rotation File 


This file allows the Samba server to automatically rotate its log files at the specified time. Here 
we'll configure the /etc/logrotate.d/samba file to rotate each week its log files 
automatically. 


e Create the samba file (touch /etc/logrotate.d/samba) and add the lines: 


/var/log/samba/log.* { 

notifempty 

missingok 

sharedscripts 

copytruncate 

postrotate 

/bin/kill -HUP ‘cat /var/lock/samba/*.pid 2> /dev/null* 2> 

/dev/null || true 

endscript 


} 


/etc/re.d/init.d/smb: The Samba Initialization File 

The /etc/rc.d/init.d/smb script file is responsible to automatically start and stop the Samba 
smbd and nmbd daemons on your server. Loading the smbd and nmbd daemons, as a standalone 
daemon will eliminate load time and will even reduce swapping since non-library code will be 
shared. 


Step 1 
Create the smb script file (touch /etc/rce.d/init.d/smb) and add the following lines: 


#!/bin/sh 

# 

# chkconfig: - 91 35 

# description: Starts and stops the Samba smbd and nmbd daemons \ 
# used to provide SMB network services. 


# Source function library. 


if [ -f /etc/init.d/functions ] ; then 
/etc/init.d/functions 
elif [ -f£ /etc/re.d/init.d/functions ] ; then 
/etc/rc.d/init.d/functions 
else 
exit 0 
rene 


# Source networking configuration. 
/etc/sysconfig/network 
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if [ -f 
Jet 

£4: 

# Check 


[ ${NETWORKING} = 





# Check 
[ -f£ /et 


RETVAL=0 





tart () 


n 


stop() { 


reload() 


} 


status () 


case "S1 


/etc/sysconfig/samba ]; then 
c/sysconfig/samba 
that networking is up. 

"no" ] && exit 0 
that smb.conf exists. 
c/samba/smb.conf ] || exit 0 


{ 

KIND="SMB" 

echo -n $"Starting SKIND services: 
daemon smbd SSMBDOPTIONS 

RETVAL=S? 

echo 

KIND="NMB" 

echo -n $"Starting SKIND services: 
daemon nmbd S$NMBDOPTIONS 
RETVAL2=$? 

echo 
[ SRETVAL -eq 0 -a 
RETVAL=1 

return SRETVAL 












































KIND="SMB" 


killproc smbd 
RETVAL=$? 
echo 
KIND="NMB" 





killproc nmbd 
RETVAL2=$? 

[ SRETVAL -eq 0 -a 
echo "" 

return SRETVAL 


























{ 
echo -n S"Reloading smb.conf file: 
killproc smbd —HUP 
RETVAL=$? 
echo 
return SRETVAL 





{ 
status smbd 
status nmbd 


"in 


SRETVAL2 -eq 0 ] 


SRETVAL2 -eq 0 ] 
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&& touch /var/lock/subsys/smb 


echo -n S"Shutting down SKIND services: " 


echo -n S"Shutting down SKIND services: " 


&& rm -£ /var/lock/subsys/smb 


\ 
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stop) 
stop 
a 
restart) 
restart 
reload) 
reload 
tr 
status) 
status 
condrestart) 
[ -f /var/lock/subsys/smb ] && restart || 
£) ie 
echo S"Usage: $0 {start|stop|restart|status|condrestart}" 
exit 1 


Step 2 

Once the smb script file has been created, it is important to make it executable, change its default 
permissions, create the necessary links and start it. Making this file executable will allow the 
system to run it, changing its default permission is to allow only the root user to change this file 
for security reason, and creation of the symbolic links will let the process control initialization of 
Linux which is in charge of starting all the normal and authorized processes that need to run at 
boot time on your system to start the program automatically for you at each reboot. 


e To make this script executable and to change its default permissions, use the commands: 
root@deep / chmod 700 /etc/rce.d/init.d/smb 
root@deep / chown 0.0 /etc/re.d/init.d/smb 


e Tocreate the symbolic rc.d links for Samba, use the following commands: 
root@deep / chkconfig --add smb 
root@deep / chkconfig --level 345 smb on 


e Tostart Samba daemons manually, use the following command: 
root@deep / /etc/re.d/init.d/smb start 

Starting SMB services: [OK] 

Starting NMB services: [OK] 




















NOTE: All the configuration files required for each software described in this book has been 
provided by us as a gzipped file, floppy-—2.0.tgz for your convenience. This can be 
downloaded from this web address: ftp://ftp.openna.com/ConfigFiles-v2.0/floppy-2.0.tgz. You can 
unpack this to any location on your local machine, say for example /var/tmp, assuming you 
have done this your directory structure will be /var/tmp/floppy-2.0. Within this floppy 
directory each configuration file has its own directory for respective software. You can either cut 
and paste this directly if you are faithfully following our instructions from the beginning or 
manually edit these to modify to your needs. This facility is there though as a convenience but 
please don't forget ultimately it will be your responsibility to check, verify, etc. before you use 
them whether modified or as it is. 
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Running Samba with SSL support 

This section applies only if you want to run Samba through SSL connection. Usually running 
Samba with SSL support is only required when you share files with the external through the 
Internet. For corporate network that runs Samba on an LAN for their Windows client machines, 
this is not useful since at this time Microsoft doesn’t provide with their operating systems SSL 
support for File Sharing. There is from my knowledge one program named “st unne1l” available 
from http://Awww.kuix.de/ssl/, which could help to solve this problem with Windows machines but | 
don’t recommend you to use it. Unfortunately the best will be to wait and hope that Microsoft will 
provides SSL support with File Sharing in future upgrade of its operating systems. From now you 
can use this new feature of running Samba through SSL connection with operating systems like 
Linux with the use of its smbclient program that comes with Samba. 


Below | show you how to set up the required certificate to be able to use Samba through SSL 
connection. The principle is exactly the same as for creating a certificate for a Web Server (refer 
to OpenSSL chapter if you have problem creating the certificates). 


Step 1 

First you have to know the Fully Qualified Domain Name (FQDN) of the File Sharing Server for 
which you want to request a certificate. When you want to access your File Sharing Server 
through smb .mydomain.com then the FQDN of your File Sharing Server is smb .mydomain.com. 


Step 2 
Second, select five large and relatively random files from your hard drive (compressed log files 
are a good start) and put them under your /usr/share/ss1 directory. These will act as your 


e To select five random files and put them under /usr/share/ss1, use the commands: 
[root@deep /]# cp /var/log/boot.log /usr/share/ssl/random1 
[root@deep /]# cp /var/log/cron /usr/share/ssl1/random2 

[root @deep 

[ 

[ 


] 
/]# cp /var/log/dmesg /usr/share/ssl/random3 
root@deep /]# cp /var/log/messages /usr/share/ssl/random4 
root@deep /]# cp /var/log/secure /usr/share/ssl/random5 


Step 3 

Third, create the RSA private key protected with a pass-phrase for your Samba File Sharing 
Server. The command below will generate 1024 bit RSA Private Key and stores it in the file 
smb.key. It will ask you for a pass-phrase: use something secure and remember it. Your 
certificate will be useless without the key. If you don't want to protect your key with a pass-phrase 
(only if you absolutely trust that server machine, and you make sure the permissions are carefully 
set so only you can read that key) you can leave out the —des3 option below. 


e To generate the Key, use the following command: 
[root@deep /]# ed /usr/share/ss1/ 
[root@deep ssl]# openssl genrsa -des3 -rand 
random1:random2:random3:random4:random5 -out smb.key 1024 
123600 semi-random bytes loaded 
Generating RSA private key, 1024 bit long modulus 




















tes debs dais Bs il bs dy ainb vel var ey te etaeea ae +4+4+4++ 

actarcerecsé a cae sa 

e is 65537 (0x10001) 

Enter PEM pass phrase: 

Verifying password —- Enter PEM pass phrase: 
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WARNING: Please backup your smb. key file and remember the pass-phrase you had to enter ata 
secure location. A good choice is to backup this information onto a diskette or other removable 
media. 





Step 4 

Finally, generate a Certificate Signing Request (CSR) with the server RSA private key. The 
command below will prompt you for the x. 509 attributes of your certificate. Remember to give 
the name smb.mydomain.com when prompted for “Common Name’. Do not enter your personal 
name here. We are requesting a certificate for a File Sharing Server, so the Common Name has to 
match the FQDN of your website. 


e To generate the CSR, use the following command: 

[root@deep ssl]# openssl req -new -key smb.key -out smb.csr 

Using configuration from /usr/share/ssl/openssl.cnf 

Enter PEM pass phrase: 

You are about to be asked to enter information that will be incorporated 
into your certificate request. 

What you are about to enter is what is called a Distinguished Name or a 

DN. 

There are quite a few fields but you can leave some blank 

For some fields there will be a default value, 

If you enter '.', the field will be left blank. 

Country Name (2 letter code) [CA]: 

State or Province Name (full name) [Quebec]: 

Locality Name (eg, city) [Montreal]: 

Organization Name (eg, company) [OpenNA.com]: 

Organizational Unit Name (eg, section) [OpenNA.com File Sharing Server]: 
Common Name (eg, YOUR name) [smb.openna.com]: 

Email Address [noc@openna.com] : 





























Pleas nter the following 'extra'’ attributes 
to be sent with your certificate request 

A challenge password []:. 

An optional company name []:. 











WARNING: Make sure you enter the FQDN (Fully Qualified Domain Name) of the server when 
OpenSSL prompts you for the “CommonName’” (i.e. when you generate a CSR for a File Sharing 
Server which will be later accessed via smb .mydomain.com, enter smb.mydomain.com here). 





After generation of your Certificate Signing Request (CSR), you could send this certificate to a 
commercial Certifying Authority (cA) like Thawte or Verisign for signing. You usually have to post 
the CSR into a web form, pay for the signing, await the signed Certificate and store it into a 
smb.crt file. The result is then a real Certificate, which can be used for Samba. 
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Step 5 

You are not obligated to send your Certificate Signing Request (CSR) to a commercial Certifying 
Authority (CA) for signing. In some cases and with Samba File Sharing Server you can become 
your own Certifying Authority (CA) and sign your certificate by yourself. In the step below, | 
assume that your CA keys pair, which are required for signing certificate by yourself already exist 
on the server, if this is not the case, please refer to the chapter related to OpenSSL in this book 
for more information about how to create your CA keys pair and become your own Certifying 
Authority (CA). 


e To sign server CSR's in order to create real SSL Certificates, use the following command: 
[root@deep ssl]# /usr/share/ssl/misc/sign.sh smb.csr 
CA signing: smb.csr -> smb.crt: 

Using configuration from ca.config 

Enter PEM pass phrase: 





















































Check that the request matches the signature 

Signature ok 

The Subjects Distinguished Name is as follows 

countryName :PRINTABLE: 'CA' 

stateOrProvinceName : PRINTABLE: 'Quebec' 

localityName :PRINTABLE: 'Montreal' 

organizationName :PRINTABLE: 'OpenNA.com' 
organizationalUnitName:PRINTABLE: 'OpenNA.com File Sharing server' 
commonName :PRINTABLE: 'smb.openna.com!' 

emailAddress : IASSTRING: 'noc@openna.com!' 








Certificate is to be certified until Mar 15 02:51:52 2002 GMT (365 days) 
Sign the certificate? [y/n]:y 





1 out of 1 certificate requests certified, commit? [y/nly 
Write out database with 1 new entries 

Data Base Updated 

CA verifying: smb.crt <-> CA cert 

smb.crt: OK 


This signs the CSR and results ina smb. crt file. 


Step 6 
Now, we must place the certificates files (smb.key and smb.crt) to the appropriate directories 
and change their default permission modes to be (0400/-r-------- ), owned by the super-user 


‘root’ for Samba to be able to find and use them when it will start its daemon. 


e To place the certificates into the appropriate directory, use the following commands: 
[root@deep ssl]# mv smb.key private/ 
[root@deep ssl]# mv smb.crt certs/ 
[root@deep ssl chmod 400 private/smb.key 
[root@deep ssl chmod 400 certs/smb.crt 
[ 
[ 
[ 


root@deep ssl chown 0.0 certs/smb.crt 


# 
# 
root@deep ssl]# chown 0.0 private/smb.key 
# 
# xm -f£ smb.csr 


root@deep ssl 


First we move the smb. key file to the private directory and the smb.crt file to the certs 
directory. After that we change the permission mode and ownership of both certificates to be only 
readable and owned by the super-user ‘root’ for security reason. Finally we remove the 
smb.csr file from our system since it is no longer needed. 
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smb.conf file. The text in bold are the parts of the lines that must be customized and adjusted to 
satisfy your needs. 


e §=6Edit the smb. conf file (vi /etc/samba/smb.conf), and add the following lines: 





























[global] 

workgroup = OPENNA 

server string = OpenNA Samba Server 

encrypt passwords = True 

security = user 

smb passwd file = /etc/samba/smbpasswd 

log file = /var/log/samba/log.%m 

max log size = 0 

socket options = IPTOS_LOWDELAY TCP_NODELAY 

deadtime = 15 

getwd cache = Yes 

lpq cache time = 45 

domain master = Yes 

local master = Yes 

preferred master = Yes 

os level = 65 

dns proxy = Yes 

wins support = Yes 

name resolve order = wins lmhosts host bcast 

bind interfaces only = True 

interfaces = ethO 192.168.1.1/24 127.0.0.1 

hosts deny = ALL 

hosts allow = 192.168.1. 207.35.78. 127.0.0.1 

debug level = 1 

create mask = 0644 

directory mask = 0755 

oplocks = True 

level2 oplocks = True 

read raw = No 

write cache size = 262144 

ssl = Yes 

ssl CA certFile = /usr/share/ssl/certs/ca.crt 

ssl server cert = /usr/share/ssl/certs/smb.crt 

ssl server key = /usr/share/ssl/private/smb.key 
[homes ] 

comment = Home Directories 

browseable = No 

read only = Yes 

invalid users = root bin daemon sync nobody sys tty disk mem kmem 
[printers] 

comment = Remote Printers 

path = /var/spool/samba 

browseable = No 

printable = Yes 

invalid users = root bin daemon sync nobody sys tty disk mem kmem 
[tmp ] 

comment = Temporary File Space 


path = /tmp 
read only = No 
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valid users = smbadmin 
invalid users = root bin daemon sync nobody sys tty disk mem kmem 


The "ssl" variable enables the entire SSL mode on the Samba server. The second variable "ss1 
CA certFile" defines where to look up and find the Certification Authorities (CA). The "ssi 
server cert" will specify where the file containing the server's certificate is located. The "ssl 
server key" will specify where the file containing the server's private key is located. 








NOTE: The"ssl CA certFile" variable is not needed if you don't verify client certificates. 
Please read your manual for more information on the subject 





Step 8 

The Samba SSL-enabled connections run by default on port 139 with smbd daemon. To allow 
external traffic through this port (139), we must add a new rule into our firewall script file for the 
File Sharing Server to accept external connections on the system. Please note that this is only 
required if you want to share your files through the Internet. For LAN this is not required at all. 


e Edit the iptables script file (vi /etc/rc.d/init.d/iptables), and add/check the 
following lines to allow Samba packets with SSL support to traverse the network: 





# Samba SSL server (139) 
# oa es “amas 











iptables -A OUTPUT -o SEXTERNAL_INTERFACE -p tcp \ 
-s $IPADDR --source-port SUNPRIVPORTS \ 
--destination-port 139 -j ACCEPT 



































iptables -A INPUT -i SEXTERNAL_INTERFACE -p tcp ! --syn \ 
--source-port 139 \ 
-d SIPADDR -—-destination-port SUNPRIVPORTS -—j ACCEPT 
































Where EXTERNAL_INTERFACE="eth0" # Internet connected interface 
Where IPADDR="207.35.78.11" # Your IP address for ethO 
Where UNPRIVPORTS="1024:" # Unprivileged port range 
Step 9 


Finally, we must restart our Samba server and firewall for the changes to take effect. 


e Torestart Samba use the following command: 
[root@deep /]# /etce/re.d/init.d/smb restart 
Shutting down SMB services: [OK] 


Shutting down NMB services: [OK] 
Starting SMB services: [OK] 
Starting NMB services: [OK] 


e Torestart you firewall use the following command: 
[root@deep /]# /etc/re.d/init.d/iptables restart 
Shutting Firewalling: done 
Starting Firewalling: done 
done 
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NOTE: With SSL support acctivated into Samba, the smbd daemon of the program will ask you 
during startup to enter the pass phrase of the certificate, therefore don’t forget it. 





Step 10 
Now that Samba is started, it is time to verify if everytinng run as espected. A good way to test 
whether Samba is working properly is to use the smbclient program. 


e Onthe Samba server, enter the following command, substituting the appropriate share 

and user for a connection: 

[root@deep /]# smbclient //localhost/tmp -U smbadmin -I 192.168.1.1 

SSL: Certificate OK: 
/C=CA/ST=Quebec/L=Mont real/O=OpenNA.com/OU=OpenNA.com File Sharing 
Server/CN=smb.openna.com/Email=noc@openna.com 

SSL: Certificate OK: 
/C=CA/ST=Quebec/L=Mont real/O=OpenNA.com/OU=OpenNA.com File Sharing 
Server/CN=smb.openna.com/Email=noc@openna.com 

SSL: negotiated cipher: DES-CBC3-SHA 

Password: 

Domain=[OPENNA] OS=[Unix] Server=[Samba 2.2.0] 

smb: \> exit 



































If you see several debugging statements followed by a line indicating the negotiated cipher, such 
as:"SSL: negotiated cipher: DES-CBC3-SHA", congratulations, your Samba File Sharing 
Server is working with SSL support enable. 





Securing Samba 

This section deals especially with actions we can make to improve and tighten security under 
Samba. The interesting points here are that we refer to the features available within the base 
installed program and not to any additional software. 


Create the encrypted Samba password file for your clients connections 

The /etc/samba/smbpasswa file is where the Samba encrypted passwords are stored. It 
contains the username; Unix UID and SMB hashed passwords of the allowed users to your Samba 
server, as well as account flag information and the time the password was last changed. 


It’s important to create this password file and include all allowed users to it before your client 


machines try to connect to your File Sharing Server. Without this step, no one will be able to 
connect to your Samba server. 
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Step 1 

To create new Samba users accounts on the system, you must first have a valid Linux account for 
them, therefore it is important before generating the “smbpasswd” file of Samba which will handle 
all Samba users allowed to connect to the system, to create in /etc/passwd file all users you 
want to be able to connect to your Samba server. 


e Use the following command to create new users in the /etc/passwd file. This step must 
be done on each additional user that you allow to access the File Sharing Server. 


[root@deep /]# useradd -s /bin/false smbadmin 2>/dev/null | | 
[root@deep /]# passwd smbadmin 

Changing password for user smbadmin 

New UNIX password: 

Retype new UNIX password: 

passwd: all authentication tokens updated successfully 


The useradd command will add the new Samba user named smbadmin to the File Sharing 
Server. The ‘—s’ option specifies the name of the user’s login shell, in our case we choose 
/oin/false and redirect it to /dev/nu11. Finally, the passwd command will set the password 
for this user ‘smbadmin’. 


Here it is important to make a special attention to the above command that | use to generate the 
Samba user account. If you remark, this user doesn’t have a shell account on the system, he just 
have a valid username and password to log in and nothing else. 


Step 2 
Once we have added all Samba clients in our /etc/passwd file on the Linux server, we can now 
generate the “smbpasswd” file from the /etc/passwa file. 


e To generate “smbpasswd” file from /etc/passwad file, use the following command: 
[root@deep /]# cat /etc/passwd | mksmbpasswd.sh > /etc/samba/smbpasswd 


Step 3 
Finally, the last step will be to create the same Samba user account in our new generated 
/etc/samba/smbpasswd file before we can use it. 


e Tocreate the same Samba user account, use the following command: 
[root@deep /]# smbpasswd -a smbadmin 
New SMB password: 
Retype new SMB password: 
Added user smbadmin. 
Password changed for user smbadmin. 


Step 4 
Don’t forget to change the permission of the new “smbpasswd” file to be readable and writable 
only by the super-user “root’, and nothing for group and other (0600 /-rw------- ). This isa 


security measure. 


[root@deep /]# chmod 600 /etc/samba/smbpasswd 
[root@deep /]# testparm (this will verify the smb.conf file for possible error). 
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NOTE: See the file called “ENCRYPTION. txt” in samba/doc/texts/ for more information. 








Immunize important configuration files 

The immutable bit can be used to prevent accidentally deleting or overwriting a file that must be 
protected. It also prevents someone from creating a symbolic link to this file. Once your 
“smb.conf” and “Imhosts’” files have been configured, it’s a good idea to immunize them with a 
command like: 


[root@deep /]# chattr +i /etc/samba/smb.conf 
[root@deep /]# chattr +i /etc/samba/l1lmhosts 


Optimizing Samba 

This section deals especially with actions we can make to improve and tighten performance of the 
Samba server. Take a note that we refer to the features available within the base installed 
program. 


Get some fast ScsI hard disk 

Once again, one of the most important parts of optimizing Samba server as well as for the 
majority of all Sol database servers is the speed of your hard disk, the fastest it'll be, and the 
fastest your File Sharing Server will run. Considering a SCSI disk with low seek times like 4. 2ms 
can make all the difference, much better performance can also be made with RAID technology. 


Setting a “wide links” Samba parameter in configuration file 

It is a big mistake to set the "wide links" Samba parameter to "No" in the Samba configuration 
file /etc/samba/smb.conf. This option, if set to “No”, instructs Samba not to follow symbolic 
links outside of an area designated as being exported as a share point. 


In order to determine if a link points is outside the shared area, Samba has to follow the link and 
then do a directory path lookup to determine where on the file system the link ended up. This 
ends up adding a total of six extra system calls per filename lookup, and Samba looks up 
filenames a lot. A test done was published that showed that setting this parameter would cause a 
25- to 30-percent slowdown in Samba performance. Therefore setting this parameter to "No" can 
have a negative effect on your server performance due to the extra system calls that Samba will 
have to do in order to perform the link checks. 


Tuning the buffer cache 

The modification of the file system cache-tuning parameters can significantly improve Linux file- 
serving performance--up to a factor of two. Linux will attempt to use memory not being used for 
any other purpose for file system caching. A special daemon, called “bdflush’, will periodically 
flush "dirty" buffers (buffers that contain modified file system data or metadata) to the disk. 


The secret to good performance is to keep as much of the data in memory for as long as is 


possible. Writing to the disk is the slowest part of any file system. If you know that the file system 
will be heavily used, then you can tune this process for Linux Samba. 
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As with many kernel tunable options, this modification can be done on the fly by writing to special 
files in the /proc file system. The trick is you have to tell Linux you want it to do that. You do so 
by executing the following command. 


The default setup for the “bdflush” parameters under Red Hat Linux is: 
"30 64 64 256 500 3000 60 0 0" 


Step 1 
To change the values of bdf1ush, type the following command on your terminal: 


e §=6Edit the sysct1.conf file (Vi /etc/sysctl.conf) and add the following line: 





# Improve file system performance for Samba 
vm.bdflush = 80 500 64 64 15 6000 6000 0 0 


Step 2 
You must restart your network for the change to take effect. The command to restart the network 
is the following: 


e To restart all network devices manually on your system, use the following command: 
[root@deep /]# /etce/re.d/init.d/network restart 
Setting network parameters [OK] 


Bringing up interface lo [OK] 
Bringing up interface eth0 [OK] 
Bringing up interface ethl [OK] 


The above modifications in the /proc file system tells “bdf1lush” not to worry about writing out 
dirty blocks to the disk until the file system buffer cache is 80 percent full (80). The other values 
tune such things as the number of buffers to write out in one disk operation (500), how long to 
allow dirty buffers to age in the kernel (60*H2Z), etc. 








NOTE: There is another way to update the entry without restarting the network by using the 


following command into your terminal screen: 
[root@deep /]# sysctl -w vm.bdflush="80 500 64 64 15 6000 6000 0 0" 





Tuning the buffermem 

Another helpful tuning hint is to tell Linux the following: Use a minimum of 60 percent of memory 
for the buffer cache; only prune when the percentage of memory used for the buffer cache gets 
over 10 percent (this parameter is now unused); and allow the buffer cache to grow to 60 percent 
of all memory (this parameter is also unused now). 


The default setup for the buf fermem parameters under Red Hat Linux is: 
"2 10 60" 


Step 1 
To change the values of buffermem, type the following command on your terminal: 


e = Edit the sysctl.conf file (vi /etc/sysct1l.conf) and add the following line: 


# Improve virtual memory performance for samba 
vm.buffermem = 60 10 60 
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Step 2 
You must restart your network for the change to take effect. The command to restart the network 
is the following: 


e Torestart all networks devices manually on your system, use the following command: 
[root@deep /]# /etc/re.d/init.d/network restart 
Setting network parameters [OK] 


Bringing up interface lo [OK] 
Bringing up interface eth0 [OK] 
Bringing up interface ethl [OK] 


Recall that the last two parameters (10 and 60) are unused by the system so we don’t need to 
change the default ones. 








NOTE: There is another way to update the entry without restarting the network by using the 


following command into your terminal screen: 
[root@deep /]# sysctl -w vm.buffermem="60 10 60” 





Further documentation 
For more details about Samba program, there are several manual pages you can read: 


$ man Samba (7) - A Windows smB/CIFS fileserver for UNIX 

$ man smb.conf (5) - The configuration file for the Samba suite 

$ man smbclient (1) - An £tp-like client to access SMB/CIFS resources on servers 

$ man smbd (8) - Server to provide SMB/CIFS services to clients 

$ man smbmnt (8) - Mount smb file system 

$ man smbmount (8) - Mount smb file system 

$ man smbpasswd (5) - The Samba encrypted password file 

$ man smbpasswd (8) - Change a users SMB password 

$ man smbrun (1) - Interface program between smbd and external programs 

$ man smbsh (1) - Allows access to Windows NT filesystem using UNIX commands 
$ man smbstatus (1) - Report on current Samba connections 

$ man smbtar (1) - Shell script for backing up SMB shares directly to UNIX tape drives 
$ man smbumount (8) - Umount for normal users 

$ man testparm (1) - Check an smb.conf configuration file for internal correctness 

$ man testprns (1) - Check printer name for validity with smbd 


Samba Administrative Tools 
The commands listed below are some that we use often, but many more exist. Check the manual 
pages and documentation of Samba for more information. 


smbstatus 
The smbstatus utility is a very simple program to list the current Samba connections. 


e Toreport current Samba connections, use the following command: 
[root@deep /]# smbstatus 


Samba version 2.2.0 
Service uid gid pid machine 





IPCS smbadmin smbadmin 2688 stationl (192.168.1.30) Wed Mar 14 
16:44:49 2001 
No locked files 
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The commands listed below are some that we use often, but many more exist. Check the manual 
pages and documentation that comes with Samba for more information. 


smbclient 


The smbclient program utility for Samba works much like the interface of the FTP program. This 
small program allow you to get files from the server to the local machine, put files from the local 
machine to the server, retrieve directory information from the server, and so on. 


e Toconnect to a Windows machine with smbclient utility, use the following command: 
[root@deep /]# smbclient //stationl/Tmp -U smbadmin -I 192.168.1.1 


Password: 
Domain=[OPENNA] 
smb: \> 1s 





D 
oh D 
PostgreSQL D 
Squid D 
D 
D 
A 





Imap 
E_ comm 
StackGuard.pdf 


65510 blocks of size 32768. 


smb: \>exit 


OS=[Windows NT 5.0] 





Server=[NT LAN Manager 5.0] 


Tue Mar 14 15:31:50 2001 
Tue Mar 14 15:31:50 2001 
Tue Mar 14 15:32:22 2001 
Tue Mar 14 15:32:28 2001 
Tue Mar 14 15:32:38 2001 
Tue Mar 14 15:32:42 2001 
Tue Dec 21 20:41:34 2001 


5295 blocks available 


Where “//station1” is the name of the server you want to connect to. “/Tmp” is the directory 
on this server you want to connect to, and “smbadmin” is your username on this machine. The “- 
I” option indicates to use the specified network interface for the connection. 


List of installed Samba files on your system 


> /etc/rc.d/init.d/smb 

> /etc/samba/smb.conf 

> /etc/samba/Imhosts 

> /etc/pam.d/samba 

> /etc/logrotate.d/samba 

> /etc/sysconfig/samba 

> /etc/samba/codepages 

> /etc/samba/codepages/codepage.437 

> /etc/samba/codepages/unicode_map.437 
> /etc/samba/codepages/codepage. 737 

> /etc/samba/codepages/unicode_map.737 
> /etc/samba/codepages/codepage.775 

> /etc/samba/codepages/codepage.850 

> /etc/samba/codepages/unicode_map.850 
> /etc/samba/codepages/codepage.852 

> /etc/samba/codepages/unicode_map.852 
> /etc/samba/codepages/codepage.861 

> /etc/samba/codepages/unicode_map.861 
> /etc/samba/codepages/codepage.932 

> /etc/samba/codepages/unicode_map.932 
> /etc/samba/codepages/codepage.866 

> /etc/samba/codepages/unicode_map.866 
> /etc/samba/codepages/codepage.949 

> /etc/samba/codepages/unicode_map.949 
> /etc/samba/codepages/codepage.950 

> /etc/samba/codepages/unicode_map.950 
> /etc/samba/codepages/codepage.936 

> /etc/samba/codepages/unicode_map.936 


> /usr/bin/smbpasswd 

> /usr/bin/make_smbcodepage 

> /usr/bin/make_unicodemap 

> /usr/bin/rpcclient 

> /usr/bin/nmblookup 

> /usr/bin/make_printerdef 

> /usr/bin/smbtar 

> /usr/bin/addtosmbpass 

> /usr/bin/convert_smbpasswd 

> /usr/bin/nksmbpasswd.sh 

> /usr/sbin/smbd 

> /usr/sbin/nmbd 

> /ust/share/man/man1/findsmb. 1 

> /usr/share/man/man1/make_smbcodepage. 1 
> /usr/share/man/man1/make_unicodemap. 1 
> /usr/share/man/man1/nmblookup. 1 
> /usr/share/man/man1/smbclient.1 

> /usr/share/man/man1/smbcontrol.1 
> /usr/share/man/man1/smbrun.1 

> /usr/share/man/man1/smbsh.1 

> /usr/share/man/man1/smbstatus. 1 

> /usr/share/man/man1/smbtar.1 

> /usr/share/man/man1/testparm.1 

> /usr/share/man/man1/testprns. 1 

> /usr/share/man/man1/wbinfo. 1 

> /usr/share/man/man5/Imhosts.5 

> /ust/share/man/man5/smb.conf.5 

> /usr/share/man/man5/smbpasswd.5 
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> /etc/samba/codepages/codepage. 1251 

> /etc/samba/codepages/unicode_map.I|SO8859-1 
> /etc/samba/codepages/unicode_map.ISO8859-2 
> /etc/samba/codepages/unicode_map.ISO8859-5 
> /etc/samba/codepages/unicode_map.ISO8859-7 
> /etc/samba/codepages/codepage.857 

> /etc/samba/codepages/unicode_map.857 

> /etc/samba/codepages/unicode_map.ISO8859-9 
> /usr/bin/smbclient 

> /usr/bin/smbspool 

> /usr/bin/testparm 

> /usr/bin/testprns 

> /usr/bin/smbstatus 

> /usr/bin/smbcontrol 
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> /usr/share/man/man7/samba.7 

> /usr/share/man/man8/nmbd.8 

> /usr/share/man/man8/rpcclient.8 

> /ust/share/man/man8/smbd.8 

> /ust/share/man/man8/smbmnt.8 

> /usr/share/man/man8/smbmount.8 
> /usr/share/man/man8/smbpasswd.8 
> /usr/share/man/man8/smbspool.8 

> /usr/share/man/man8/smbumount.8 
> /ust/share/man/man8/winbindd.8 

> /var/log/samba 

> /var/lock/samba 

> /var/spool/samba 
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Part XIll_ Backup Related Reference 
In this Part 


Backup - Tar & Dump 


Any serious networking topology required a backup policies and procedures. This is absolutely 
needed and you cannot pass through it if you want to protect valuable information and data for 
possible lost and errors. Now that everything is running smoothly and as you expect them to be in 
your secure servers, it is time to think a little bit about a procedure to ensure that your hard works 
to protect and secure your systems are not for nothing. 
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31 Backup - Tar & Dump 
In this Chapter 


Recommended RPM packages to be installed for a Backup Server 
The tar backup program 

Making backups with tar 

Automating tasks of backups made with tar 

Restoring files with tar 

The dump backup program 

Making backups with dump 

Restoring files with dump 

Backing up and restoring over the network 
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Recommended RPM packages to be installed for a Backup Server 

A minimal configuration provides the basic set of packages required by the Linux operating 
system. Minimal configuration is a perfect starting point for building secure operating system. 
Below is the list of all recommended RPM packages required to run properly your Linux server as 
a Backup server running on Amanda software. 


This configuration assumes that your kernel is a monolithic kernel. Also | suppose that you will 
install Amanda by RPM package. Therefore, ananda, amanda-server, and amanda-client 
RPM packages are already included in the list below as you can see. All security tools are not 
installed, it is yours to install them as your need by RPM packages too since compilers packages 
are not installed and included in the list. Ananda is not presently discussed in this book, but you 
can install it from your CD-ROM vendor and run it as it comes. 


amanda 
devfsd 
info 
openssh 
slocate 


amanda-server 
diffutils 
initscripts 
openssh-server 
sysklogd 


amanda-client 
dump 

iptables 
openssl 
syslinux 


basesystem 
e2fsprogs 
kernel 

pam 
SysVinit 


bash 
ed 
less 
passwd 
tar 


bdflush 
file 
libstdc++ 
popt 
termcap 





789 





Tar & Dump |3 
CHAPTER |1 








bind 
filesystem 
libtermcap 
procps 
textutils 


bzip2 
fileutils 
lilo 
psmisc 
tmpwatch 


chkconfig 
findutils 
logrotate 
pwdb 
utempter 





console-tools 
gawk 

losetup 

qmail 
util-linux 


cpio 

gdbm 
MAKEDEV 
readline 
vim-common 


cracklib 
gettext 

man 
rootfiles 
vim-minimal 


cracklib-dicts 
glib 

mingetty 

rpm 
vixie-cron 


crontabs 
glibe 
mktemp 
sed 
words 


dbl 
glibc-common 
mount 

setup 

which 


db2 

grep 
ncurses 
sh-utils 
zlib 


db3 

grofft 
net-tools 
shadow-utils 


dev 
gzip 
newt 
slang 
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Tested and fully functional on OpenNA.com. 
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Linux Tar & Dump 


Abstract 

A secure and reliable server is closely related to performing regular backups. Failures will 
probably occur sometimes. They may be caused by attacks, hardware failure, human error, 
power outages, etc. The safest method of doing backups is to record them in a location separate 
from your Linux system like over a network, from tape, removable drive, writable CD-ROM, etc. 


Many methods of performing backups with Linux exist, such as “dump”, “tar”, “cpio”, as well as 
“dd” commands that are each available by default on your Linux system. Also available are text- 
based utilities program, such as “Amanda”, which is designed to add a friendlier user interface to 
the backup and restore procedures. Finally, commercial backup utilities are also available, such 

as “BRU”. 


The procedures for performing a backup and restore will differ depending on your choice of a 
backup solution. For this reason we will discuss methods for performing backups with the 
traditional UNIX tools: “tar”, and “dump” which is a command-line backup tool. 


What to backup 

The idea of making a backup is to back up as much as possible on your system, but some 
exceptions exist as shown below. It is not logical to include these in your backup since you will 
lose time and space in your media for nothing. 


The major exceptions to not include in your backup are: 


v¥ The /proc file system: since it only contains data that the kernel generates 
automatically, it is never a good idea to back it up. 


v¥ The /mnt file system, because it is where you mount your removable media like CD- 
ROM, floppy disk and other. 


v¥ The backup directory or media where you have placed your backup files, such as a tape, 
CD-ROM, NFS mounted file system, remote/local directory or other kind of media. 


¥ Software that can be easily reinstalled, though they may have configuration files that are 
important to back up, lest you do all the work to configure them all over again. | will 
recommend putting them (the configuration files for software) on the floppy disk. 


The tar backup program 


The tar backup program is an archiving program designed to store and extract files from an 
archive file known as a tarfile. A tarfile may be made on a tape drive; however, it is also common 
to write a tarfile to a normal file. 


A simple backup scheme 

When you decide to make a backup of files on your system you must choose a backup scheme 
before the beginning of your backup procedure. A lot of strategic backup schemes exist, and 
depend on the backup policies you want to use. In the following, | will show you one backup 
scheme that you may use which takes advantage of the tar program’s possibilities. This scheme 
is to first back up everything once, then back up everything that has been modified since the 
previous backup. The first backup is called a full backup; the subsequent ones are incremental 
backups. 
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Making backups with tar 

With six tapes you can make backups every day; the procedure is to use tape 1 for the first full 
backup (Friday 1), and tapes 2 to 5 for the incremental backups (Monday through Thursday). 
Then, you make a new full backup on tape 6 (second Friday), and start doing incremental ones 
with tapes 2 to 5 again. It’s important to keep tape 1 at its state until you've got a new full backup 
with tape 6. In the following example below, we assume that we write the backup to a SCSI tape 
drive named “/dev/st0”, and we backup the home directory “/home” of our system. 


First of all, we move to the file system “/” partition. When creating an archive file, tar will strip 
leading “/” (slash) characters from file path names. This means that restored files may not end up 
in the same locations they were backed up from. Therefore, to solve the problem, the solution is 
to change to the “/” root directory before making all backups and restorations. 


e To move to the “/” root directory, use the command: 
[root@deep]# ed / 


It is important to always start with a full backup (say, on a Friday), for example: 


e Friday 1, (use tape 1 for the first full backup). 
[root@deep /]# ed / 
[root@deep /]# tar cpf /dev/st0O --label="full-backup created on \ 
‘date '+%d-%B-%Y'*." --directory / home 


e Monday, (use tapes 2 for the incremental backups). 
[root@deep /]# ed / 
[root@deep /]# tar cpNf /dev/st0 --label="full-backup created on \ 
‘date '+%d-%B-%Y'*." --directory / home 


e Tuesday, (use tapes 3 for the incremental backups). 
[root@deep /]# ed / 
[root@deep /]# tar cpNf /dev/st0O --label="full-backup created on \ 
‘date '+%d-%B-%Y'*." —--directory / home 


e Wednesday, (use tapes 4 for the incremental backups). 
[root@deep /]# ed / 
[root@deep /]# tar cpNf /dev/st0 --label="full-backup created on \ 
‘date '+%d-%B-%Y'*." --directory / home 


e Thursday, (use tapes 5 for the incremental backups). 
[root@deep /]# ed / 
[root@deep /]# tar cpNf /dev/st0O --label="full-backup created on \ 
‘date '+%d-%B-%Y'*." --directory / home 


e =Friday 2, (use tape 6 for the new full backups). 
[root@deep /]# ed / 
[root@deep /]# tar cpf /dev/st0 --label="full-backup created on \ 
‘date '+%d-%B-%Y'* ." --directory / home 


e Now, start doing incremental ones with tapes 2 to 5 again and so on. 
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The “c” option specifies that an archive file is beginning to be created. 

The “p” option preserves permissions; file protection information will be “remembered”. 

The “Nn” option does an incremental backup and only stores files newer than DATE. 

The “£” option states that the very next argument will be the name of the archive file or device being written. 


Notice how a filename, which contains the current date, is derived, simply by enclosing the 
“date” command between two back-quote characters. A common naming convention is to add a 
“tar” suffix for non-compressed archives, and a “tar.gz” suffix for compressed ones. Since we 
aren't able to specify a filename for the backup set, the "--labe1" option can be used to write 
some information about the backup set into the archive file itself. Finally, only the files contained 
in the /home are written to the tape. 


Because the tape drive is a character device, it is not possible to specify an actual file name. 
Therefore the file name used as an argument to tar is simply the name of the device /dev/st0, 
the first tape device. The /dev/st0 device does not rewind after the backup set is written; 
Therefore, it is possible to write multiple sets on one tape. You may also refer to the device as 
/dev/st0, in which case the tape is automatically rewound after the backup set is written. When 
working with tapes you can use the following commands to rewind and eject your tape: 


[root@deep /]# mt -£ /dev/st0O rewind 
[root@deep /]# mt -£ /dev/st0O offline 








WARNING: To reduce the space needed on a tar archive, the backups can be compressed with 
the “z” option of tar program. Unfortunately, using this option to compress backups can cause 
trouble. Due to the nature of how compression works, if a single bit in the compressed backup is 
wrong, all the rest of the compressed data will be lost. It’s recommended to NOT using 


oo 


compression (the “z” option) to make backups with the tar command. 





e If your backup doesn't fit on one tape, you'll have to use the --multi-volume (—M) option: 
[root@deep /]# ed / 
[root@deep /]# tar cMpf /dev/st0O /home 
Prepare volume #2 for /dev/st0O and hit return: 


e After you have made a backup, you should check that it is OK, using the --compare (-d) 
option as shown below: 
[root@deep /]# ed / 
[root@deep /]# tar dvf /dev/st0 


e To perform a backup of your entire system, use the following command: 
[root@deep /]# ed / 
[root@deep /]# tar cpf /archive/full-backup-—‘date '+%d-%B-%Y'*.tar \ 
--directory / --exclude=proc --exclude=mnt --exclude=archive \ 
--exclude=cache --exclude=*/lost+found . 


The ”--directory’” option informs tar to first switch to the following directory path (the “/” 
directory in this example) prior to starting the backup. The “-—exclude’” options informs tar not 
to bother backing up the specified directories or files. Finally, the “.” character at the end of the 
command tells tar that it should back up everything in the current directory. 
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WARNING: When backing up your file systems, do not include the /proc pseudo-file-system! The 
files in /proc are not actually files but are simply file-like links which describe and point to kernel 
data structures. Also, do not include the /mnt, /archive, and all lost+found directories. 





Automating tasks of backups made with tar 

It is always interesting to automate the tasks of a backup. Automation offers enormous 
opportunities for using your Linux server to achieve the goals you set. The following example 
below is our backup script, named “backup.cron”. 


This script is designed to run on any computer by changing only the four variables: COMPUTER, 
DIRECTORIES, BACKUPDIR, and TIMEDIR. We suggest that you set this script up and run it at 
the beginning of the month for the first time, and then run it for a month before making major 
changes. In our example below we do the backup to a directory on the local server (BACKUPDIR), 
but you could modify this script to do it to a tape on the local server or via an NFS mounted file 
system. 




















Step 1 
Create the backup script backup.cron file (touch /etc/cron.daily/backup.cron) and 
add the following lines to this backup file: 


#!/bin/sh 

# full and incremental backup script 

# created 07 February 2000 

# Based on a script by Daniel O'Callaghan <danny@freebsd.org> 
# and modified by Gerhard Mourani <gmourani@openna.com> 


#Change the 5 variables below to fit your computer/backup 





COMPUTER=deep 
DIRECTORIES="/home" 
BACKUPDIR=/backups 
IMEDIR=/backups/last-full 
TAR=/bin/tar 


Name of this computer 

Directoris to backup 

Where to store the backups 

Where to store time of full backup 
Name and location of tar 























Se SF SE OSE OSE 











You should not have to change anything below here 





PATH=/usr/local/bin:/usr/bin:/bin 

DOW=" date +%a° # Day of the week e.g. Mon 
DOM="date +%d° # Date of the Month e.g. 27 
DM="date +%d%b° # Date and Month e.g. 27 Sep 


On the lst of the month a permanet full backup is made 

Every Sunday a full backup is made - overwriting last Sundays backup 
The rest of the time an incremental backup is made. Each incremental 
backup overwrites last weeks incremental backup of the same name. 

















if NEWER = "", then tar backs up all files in the directories 
otherwise it backs up files newer than the NEWER date. NEWER 
gets it date from the file written every Sunday. 






































Monthly full backup 

if [ S$DOM = "01" ]; then 

NEWER="" 

STAR SNEWER -cf SBACKUPDIR/SCOMPUTER-S$DM.tar SDIRECTORIES 
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# Weekly full backup 

if [ SDOW = "Sun" ]; then 
NEWER="" 
NOW=" date +%d-%b° 














# Update full backup date 
echo SNOW > STIMEDIR/SCOMPUTER-full-date 
STAR SNEWER -cf SBACKUPDIR/SCOMPUTER-SDOW.tar $DIRECTORIES 



































# Make incremental backup - overwrite last weeks 





























else 

# Get date of last full backup 

NEWER="—--newer *~cat STIMEDIR/SCOMPUTER-full-date’" 

STAR SNEWER -cf SBACKUPDIR/SCOMPUTER-SDOW.tar SDIRECTORIES 
fi 


Here is an abbreviated look of the backup directory after one week: 


[root@deep /]# ls -1 /backups/ 
total 22217 








-rw-r--r-- 1 root root 10731288 Feb 7 11:24 deep-OlFeb.tar 
-rw-r--r-- 1 root root 6879 Feb 7 11:24 deep-Fri.tar 
-rw-r--r-- 1 root root 2831 Feb 7 11:24 deep-Mon.tar 
-rw-r--r-- 1 root root 7924 Feb 7 11:25 deep-Sat.tar 
-rw-r--r-- 1 root root 11923013 Feb 7 11:24 deep-Sun.tar 
-rw-r--r-- 1 root root 5643 Feb 7 11:25 deep-Thu.tar 
-rw-r--r-- 1 root root 3152 Feb 7 11:25 deep-Tue.tar 
-rw-r--r-- 1 root root 4567 Feb 7 11:25 deep-Wed.tar 
drwxr-xr-x 2 root root 1024 Feb 7 11:20 last-full 











WARNING: The directory where to store the backups (BACKUPDIR), and the directory where to 
store time of full backup (TIMEDIR) must exist or be created before the use of the backup-script, 
or you will receive an error message. 





Also | recommend you to set the permission mode of these directories to be (0700 /-rwx------ 
) owned by the user making the backup. It is important that normal user cannot access in our 
example the /backups directory. 





Step 2 

If you are not running this backup script from the beginning of the month (01-month-year), the 
incremental backups will need the time of the Sunday backup to be able to work properly. If you 
start in the middle of the week, you will need to create the time file in the TIMEDIR. 








e Tocreate the time file in the TIMEDIR directory, use the following command: 
[root@deep /]# date +%d%b > /backups/last-—full/myserver-—full-—date 


Where </backups/last-full1> is our variable TIMEDIR where we want to store the time of 
the full backup, and <myserver-full-—date> is the name of our server (e.g., deep), and our 
time file consists of a single line with the present date (i.e. 15-Feb). 
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Step 3 
Make this script executable and change its default permissions to be writable only by the super- 
user “root” (0700/-rwx------ \ 


[root@deep /]# chmod 700 /etc/cron.daily/backup.cron 








NOTE: Because this script is in the /etc/cron.daily directory, it will be automatically run as a 
cron job at one o'clock in the morning every day. 





Restoring files with tar 

More important than performing regular backups is having them available when we need to 
recover important files! In this section, we will discuss methods for restoring files, which have 
been backed up with “t ar” command. 





The following command will restore all files from the “full-backup-Day-Month-Year.tar” 
archive, which is an example backup of our /home directory created from the example tar 
commands shown above. 


e To restore a full backup of the /home directory, use the following commands: 
[root@deep /]# ed / 
[root@deep /]# tar xpf /dev/st0/full—-backup—Day-—Month-Year.tar 


The above command extracts all files contained in the compressed archive, preserving original 
file ownership and permissions. 


The “x” option stands for extract. 
The “p” option preserves permissions; file protection information will be “remembered”. 
The “£” option states that the very next argument will be the name of the archive file or device. 


If you do not need to restore all the files contained in the archive, you can specify one or more 
files that you wish to restore: 


e To specify one or more files that you wish to restore, use the following commands: 
[root@deep]# ed / 
[root@deep]# tar xpf /dev/st0/full-backup-—Day-—Month-Year.tar \ 
home/wahib/Personal/Contents.doc home/quota.user 


The above command restores the /home/wahib/Personal/Contents.doc and 


/home/quota.user files from the archive. 


e If you just want to see what files are in the backup volume, Use the --1ist (-t) option: 
[root@deep /]# tar tf /dev/st0 








WARNING: If you have files on your system set with the immutable bit, using the “chattr” 
command, these files will not be remembered with the immutable bit from your restored backup. 
You must reset it immutable with the command “chattr +i” after the backup is completed. 
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Testing the ability to recover from backups 

For many system administrators, recovering a file from a backup is an uncommon activity. This 
step assures that if you need to recover a file, the tools and processes will work. Performing this 
test periodically will help you to discover problems with the backup procedures so you can correct 
them before losing data. Some backup restoration software does not accurately recover the 
correct file protection and file ownership controls. Check the attributes of restored files to ensure 
they are being set correctly. Periodically test to ensure that you can perform a full system 
recovery from your backups. 


Further documentation 
For more details, there is one manual page that you can read: 


tar (1) - The GNU version of the tar archiving utility 


The dump backup program 

Dump is completely different from tar; it is a program for backing up and restoring file system. It 
backups up the entire file system - not the files. Dump does not care what file system is on the 
hard drive, or even if there are files in the file system. It examines files on an ext2 file system, 
determines which ones need to be backed up, and copies those files to a specified disk, tape, file 
or other storage medium. It dumps one file system at a time quickly and efficiently. 


Unfortunately, it does not do individual directories, and so it eats up a great deal more storage 
space than tar. It is also written specifically for backups. The restore command performs the 
inverse function of dump; It can restore a full backup of a file system. Subsequent incremental 
backups can then be layered on top of the full backup. Single files and directory sub trees may 
also be restored from full or partial backups. You can use dump if you need a procedure for both 
backing up file systems and restoring file systems after backups. 


The Dump levels 

Dump has several levels of backup procedures. The levels range from 0 to 9, where level number 
0 means a full backup and guarantees the entire file system is copied. A level number above 0, 
incremental backup, tells dump to copy all files new or modified since the last dump of the same 
or lower level. To be more precise, at each incremental backup level you back up everything that 
has changed since the previous backup at the same or a previous level. 


What are the advantages and the reasons to create and use several levels to make a backup? | 
try to explain it with the following schemas: 
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7 means copy all files new or modified since level 0, 3, 4, and 7. 


6 means copy al 








dified since level 0, 3, and 5. 


means copy all files new or modified since level 0, 3, and 4. 


| files new or modified since level 0, 3, 4, and 6. 


9 means copy all files new or modified since level 0, 3, 4, 6, and 9. 
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8 means copy all files new or modified since level 0, 3, 4, 6, and 8. 


9 means copy all files new or modified since level 0, 3, 4, 6, 8, and 9. 


The advantages and reasons for doing this are that with multiple levels, the backup history can be 
extended more cheaply. A longer backup history is useful, since deleted or corrupted files are 
often not noticed for a long time. Even a version of a file that is not very up to date is better than 
no file at all. Also, backup levels are used to keep both the backup and restore times toa 


minimum (low). 


The dump manual page suggests a good scheme to take the full advantage of backup levels: 3, 
2, 5, 4, 7, 6, 9, 8, 9, etc as described by the table below. The most you have to backup is two 
day's worth of work. The number of tapes for a restore depends on how long you keep between 


full backups. 






































Tape | Level | Backup (days) | Restore tapes 
1 0 n/a 1 

2 3 1 1,2 

3 2 2 1,3 

4 5 1 1,2,4 

5 4 2 1,2,5 

6 7 1 1,2,5,6 

7 6 2 1,2,5,7 

8 9 1 1,2,5,7,8 

9 8 2 1,2,5,7,9 

10 9 1 1, 2,5, 7,9, 10 
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It’s interesting to use the dump backup program if you want to take advantage of its several levels 
of backup procedures. Below, | show you a procedure to have a longer backup history, and to 
keep both the backup and restore times to a minimum. 


In the following example, we assume that we write the backup to a tape drive named “/dev/st0” 
and we backup the /home directory of our system. 


It is important to always start with a level 0 backup, for example: 


e Friday 1, (use tape 1 for the first full backup). 
[root@deep /]# dump -Ou -f /dev/st0O /home 


Dumping /dev/sda6 
mapping (Pass I) 
mapping (Pass IT) 


dumping (Pass III) 
dumping (Pass IV) 


[regular files 


DUMP: Date of this level O dump: Fri Mar 16 21:25:12 2001 
Date of last level 0 dump: the epoch 


(/home) to /dev/st0 


[directories] 


estimated 18582 tape blocks on 0.48 tape(s). 
Volume 1 started at: Fri Mar 16 21:25:12 2001 


{directories 
[regular files] 


DUMP: 18580 tape blocks on 1 volumes (s) 

finished in 4 seconds, throughput 4645 KBytes/sec 
Volume 1 completed at: Fri Mar 16 21:26:12 2001 
Volume 1 took 0:00:04 

Volume 1 transfer rate: 4645 KB/s 

level 0 dump on Fri Fri Mar 16 21:25:12 2001 





DUMP 
DUMP 
DUMP 

















UUVUUVUUGUVGVV VV VVVeUVGVVUU Sg 
£ 
vuvyrPuypPutr yyy ey ye www 


Date of this level O dump: Fri Mar 16 21:25:12 2001 


Date this dump completed: 
Average transfer rate: 4645 KB/s 


Closing /dev/st0 
DUMP IS DONE 





Monday, (use tapes 2 for the incremental backups). 


root@deep / 


root@deep / 


Wednesday, (u 
root@deep / 


Thursday, (use 
root@deep / 





t 





dump -3u -f£ /dev/st0O /home 


Tuesday, (use tapes 3 for the incremental backups). 


dump -2u -f£ /dev/st0O /home 


e tapes 4 for the incremental backups). 
dump -5u -f /dev/st0O /home 


apes 5 for the incremental backups). 
dump -4u -f£ /dev/st0O /home 








Friday 2, (use tape 6 for the incremental backups). 


root@deep / 


root@deep / 


root@deep / 


Wednesday, (u 
root@deep / 





dump -7u -f£ /dev/st0O /home 


Monday, (use tapes 2 for the incremental backups). 


dump -3u -f£ /dev/st0O /home 


Tuesday, (use tapes 3 for the incremental backups). 


dump -2u -f£ /dev/st0O /home 


e tapes 4 for the incremental backups). 











dump -5u -f£ /dev/st0O /home 


Fri Mar 16 21:25:18 2001 
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tapes 5 for the incremental backups). 


[root@deep /]# dump -—4u -f /dev/st0O /home 


Friday 3, (use tape 7 for the incremental backups). 


root@deep / 


root@deep / 


root@deep / 


Wednesday, (u 
root@deep / 


Thursday, (use 
root@deep / 





dump -6u -f /dev/st0O /home 


Monday, (use tapes 2 for the incremental backups). 


dump -3u -f£ /dev/st0O /home 


Tuesday, (use tapes 3 for the incremental backups). 


dump -2u -f£ /dev/st0O /home 


se tapes 4 for the incremental backups). 


dump -5u -f£ /dev/st0O /home 


tapes 5 for the incremental backups). 











dump -4u -f£ /dev/st0O /home 


Friday 4, (use tape 8 for the incremental backups only if there have 5 Fridays in one month). 


root@deep / 


root@deep / 


root@deep / 


root@deep / 


Thursday, (use 
root@deep / 





Tuesday, (use ta 


dump -9u -f£ /dev/st0O /home 


Monday, (use tapes 2 for the incremental backups only if there have 5 Fridays in one month). 


dump -3u -f£ /dev/st0O /home 


pes 3 for the incremental backups only if there have 5 Fridays in one month). 
dump -2u -f£ /dev/st0O /home 


Wednesday, (use tapes 4 for the incremental backups only if there have 5 Fridays in one month). 


dump -5u -f£ /dev/st0O /home 


tapes 5 for the incremental backups only if there have 5 Fridays in one month). 
dump -4u -f£ /dev/st0O /home 











Month, (use another tape for a new full backup when the month change). 
[root@deep /]# dump -Ou -f /dev/st0O /home 


oo 


Where “—0 to —-9” is the backup level option you want to use, the “u” option means to update the 
file /etc/dumpdates after a successful dump, the “—£” option to write the backup to file; the file 
may be a special device file like /dev/st0 (a tape drive), /dev/rsdic (a disk drive), an 
ordinary file, or “—“ (the standard output). Finally, you must specify what you want to backup. In 
our example, it is the /home directory. 


You can see that we use the same tapes 2 to 5 for daily backups (Monday to Thursday = 4 
tapes), tapes 6, 7, and 8 for weekly backups (other Fridays, 6 + 7 + 8 = 3 tapes; note that there 
can be five Fridays in one month) and tapes 1 and any subsequent new one for monthly backups 
(first Friday each month, 1 + any subsequent “11 months” = 12 tapes). In conclusion, if we use 8 
tapes (4+ 3+ 1 = 8), we can have a full backup for one month and repeat the procedure with the 
8 tapes to get our subsequent 11 months to come for a total of 1-year individual full backups. 


The full backup should be done at set intervals, say once a month, and on a set of fresh tapes 
that are saved forever. With this kind of procedure, you will have 12 tapes for 12 months that 
handle histories and changes of your system for one year. Afterwards, you can copy the 12 tape 
backups onto a different computer designated to keep all yearly backups for a long time and be 
able to reuse them (12 tapes) to repeat the procedure for a new year. Thank you Gerhard! 
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Restoring files with dump 

The restore command of the program performs the inverse function of dump (8). It restores 
files or file systems from backups made with dump. A full backup of a file system may be 
restored, and subsequent incremental backups layered on top of it. Single files and directory sub- 
trees may be restored from full, or partial, backups. You have a number of possible commands 
and options to restore backed up data with the dump program. Below, we show you a procedure 
that uses the full potential of the restore program with the most options possible. It is also done 
in interactive mode. 


In an interactive restoration of files from a dump, the restore program provides a shell like 
interface that allows the user to move around the directory tree selecting files to be extracted, 
after reading in the directory information from the dump. The following is what we will see if we try 
to restore our /home directory: 


First of all, we must move to the partition file system where we want to restore our backup. This is 
required, since the interactive mode of the restore program will restore our backups from the 
current partition file system where we have executed the restore command. 


e To move to the partition file system we want to restore (the /home directory in our case), 


use the following command: 
[root@deep /]# cd /home 


e Torestore files from a dump in interactive mode, use the following command: 
[root@deep /home]# restore -i -f£ /dev/st0 
restore > 


A prompt will appear in your terminal, to list the current, or specified, directory. Use the “1s” 
command as shown below: 


restore > ls 
admin/ lost+found/ named/ quota.group quota.user wahib/ 


restore > 


To change the current working directory to the specified one, use the “ed” commands (in our 
example, we change to wahib directory) as shown below: 


restore > cd wahib 

restore > ls 

./wahib: 

.Xdefaults -bash_logout -bashre 
-bash_history .bash_profile Personal/ 


restore > 


To add the current directory or file to the list of files to be extracted, use the “add” command (If a 
directory is specified, then it and all its descendents are added to the extraction list) as shown 
below: 


restore > add Personal/ 
restore > 
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Files that are on the extraction list are marked with a “*” when they are listed by the “1s” 
command: 


restore > ls 


./wahib: 
-Xdefaults -bash_logout -bashre 
-bash_history .bash_profile *Personal/ 


To delete the current directory or specified argument from the list of files to be extracted, use the 
“delete” command (If a directory is specified, then it and all its descendents are deleted from 
the extraction list) as shown below: 


restore > ed Personal/ 
restore > ls 


./wahib/Personal: 

*Ad?le_Nakad.doc *Overview.doc 
*BIMCOR/ *Resume/ 

*My Webs/ * SAMS / 

*Contents.doc *Templates/ 
*Divers.doc *bruno universite.doc 
*Linux/ *My Pictures/ 


restore > delete Resume/ 
restore > ls 


./wahib/Personal: 

*Ad?le_Nakad.doc *Overview.doc 
*BIMCOR/ Resume/ 

*My Webs/ * SAMS / 

*Contents.doc *Templates/ 
*Divers.doc *bruno universite.doc 
*Linux/ *My Pictures/ 








NOTE: The most expedient way to extract most of the files from a directory is to add the directory 
to the extraction list and then delete those files that are not needed. 





To extract all files in the extraction list from the dump, use the “extract” command (Restore will 
ask which volume the user wishes to mount. The fastest way to extract a few files is to start with 
the last volume and work towards the first volume) as shown below: 


restore > extract 

You have not read any tapes yet. 

Unless you know which volume your file(s) are on you should start 
with the last volume and work towards the first. 

Specify next volume #: 1 

set owner/mode for '.'? [yn] y 


To exit from the interactive restore mode after you have finished extracting your directories or 
files, use the “quit” command as shown below. 


/sbin/restore > quit 
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NOTE: Other methods of restoration exist with the dump program; consult the manual page of 
dump for more information. 





Further documentation 
For more details, there is some manual pages related to program dump that you can read: 


S$ man dump (8) - ext2 file system backup 
$ man restore (8) - Restore files or file systems from backups made with dump 


Backing up and restoring over the network 

Backups allow you to restore the availability and integrity of information resources following 
security breaches and accidents. Without a backup, you may be unable to restore a computer's 
data after system failures and security breaches. 


It is important to develop a plan that is broad enough to cover all the servers you plan to deploy. 
We must determine what categories of files will be backed up. For example, you may choose to 
back up only user data files (i.e. /home) because damaged system files should be reloaded from 
the original distribution media. 


There are common technological approaches to file backups. For network servers, an 
authoritative version of the informational content of the server is created and maintained on a 
secure machine that is backed up. If the server is compromised and its content damaged, it can 
be reloaded from the secure system maintaining the authoritative version. This approach is 
typically used for public servers, such as Web servers, because the content changes at more 
predictable intervals. 


It is important to ensure that backups are performed in a secure manner and that the contents of 
the backups remain secure. We recommend that the plan specify that: 


v The source data is encrypted before being transmitted to the storage medium. 
v¥ The data remains encrypted on the backup storage media. 


v¥ The storage media are kept in a physically secure facility that is protected from man- 
made and natural disasters. 


Transfer your backup in a secure manner over the network 

In the previous sections, we have shown you how to make a backup onto both a tape and files 
from the same system where you execute the backup procedure, with utilities like tar and dump. 
These programs (tar and dump) are capable of making backups over the network as well. 


To be able to backup over the network, usually you must ensure that the insecure RPM packages 
named “rmt” and “rsh” are installed on your system. The “rmt” utility provides remote access to 
tape devices for programs like dump, and tar. To complement this, the “rsh” package contains a 
set of programs, which allow users to run commands on remote machines, login to other 
machines and copy files between machines (rsh, rlogin and rcp are this set of programs). 
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Since “rsh” can be easily hacked, and “rmt” depends on “rsh” to be able to work, we have 
chosen to not install them in our setup installation (see chapter related to Linux installation in this 
book for more information on the subject) for security reasons. Therefore, we must find another 
way to make backups over the network in a secure manner. 


SSH technology is the solution for our problem (see chapter related to OpenSSH in this book for 
more information on the subject) because it also has the ability to copy data across the network 
with its “scp” command, through encryption. The following is a method that permits us to use the 
potential of SSH software to transfer our backups made with tar or dump in a secure manner via 
the “scp” SSH utility. 


Using the scp command of SSH to transfer backups over the network 

The scp command copies files between hosts on a network. It uses SSH for data transfer, and 
uses the same authentication, and provides the same security, as SSH. Unlike the “rcp” utility 
that comes with the RPM package “rsh”, “scp” will transmit your data over the network 
encrypted. In our example below, we transfer a backup file made with the tar archive program; 


the procedure to transfer a backup file or tape made with dump program is exactly the same. 


Step 1 

Before going into the command line that will transfer our data encrypted through the network, it is 
important to recall that scp command like any other SSH command used for encrypted 
connection between servers will ask us by default to enter a pass-phrase. This is not useful when 
we want to automate backup using SSH for the transfer. Fortunately, it is possible to configure 
SSH to not ask for the pass-phrase before establishing the remote encrypted connection. We do it 
my creating a new SSH user without a pass-phrase. Of course | suppose that this user already 
exist in your Unix /etc/passwd file. If you don’t understand what | mean, please refer to the 
chapter related to OpenSSH in this book for more information on the subject. 


e To create anew SSH user without a pass-phrase, use the following commands: 
[root@deep /]# su backadmin 
[backadmin@deep /]$ ssh-keygen -d 
Generating DSA parameter and key. 
Enter file in which to save the key (/home/backadmin/.ssh/id_dsa): 
Created directory '/home/backadmin/.ssh'. 
Enter passphrase (empty for no passphrase): < Here you press enter 
Enter same passphrase again: < Here you press enter again 
Your identification has been saved in /home/backadmin/.ssh/id_dsa. 
Your public key has been saved in /home/backadmin/.ssh/id_dsa.pub. 
The key fingerprint is: 
lf:af:aa:22:0a:21:85:3c:07:7a:5c:ae:c2:d3:56:64 backadmin@deep 





As we can see here, our new SSH user is named “backadmin’” and already exist into the 
/etc/passwd file of the Linux system. We su to this user and generate a new keys pair for him. 
The most important part here, is when the program ask us to enter a pass-phrase, therefore we 
just press [Enter] to inform it that we don’t want a pass-phrase for this new SSH user. 





Step 2 

Once the keys pair of our new SSH user have been generated, we must copy its local public key 
id_dsa.pub from its /home/backadmin/.ssh directory remotely into the server from where 
we want to make the secure connection for transferring the backup files under the name, say, 
“authorized_keys2”. One way to copy the file is to use the £tp command or you might need 
to send the public key in electronic mail to the administrator of the system. Just include the 
contents of the ~/.ssh/id_dsa. pub file in the message. 
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warninc: Don’t forget that the same username in our case “backadmin” must exist on the other 
server side. This is required only to create the ~/ . ssh directory required to place the public key. 





Step 3 

Now, we must edit the /etc/ssh/ssh_config file on the REMOTE host from where we have 
sent our id_dsa. pub key which has become authorized_keys2 and add some additional 
lines to its ssh_config file to allow our new SSH user to connect and transfer backup files 


without a pass-phrase to the server. The text in bold are the parts of the configuration file that 
must be customized and adjusted to satisfy your needs 


e Edit the ssh_config file (vi /etc/ssh/ssh_config) on REMOTE server and add 
the following lines: 


# Site-wide defaults for various options 


Host * 
ForwardAgent no 
ForwardX1l1 no 
RhostsAuthentication no 
RhostsRSAAuthentication no 
RSAAuthentication yes 
PasswordAuthentication no 
FallBackToRsh no 
UseRsh no 
BatchMode no 
CheckHostIP yes 
StrictHostKeyChecking yes 


IdentityFile ~/.ssh/identity 
IdentityFile ~/.ssh/id_dsa 
IdentityFile ~/.ssh/id_rsal 
IdentityFile ~/.ssh/id_rsa2 
Port 22 


Protocol 2,1 
Cipher blowfish 
EscapeChar ~ 





Host 207.35.78.13 
ForwardAgent no 
ForwardxX1l1 no 
RhostsAuthentication no 
RhostsRSAAuthentication no 
RSAAuthentication no 
PasswordAuthentication no 
FallBackToRsh no 
UseRsh no 
BatchMode yes 
CheckHostIP no 
StrictHostKeyChecking yes 
IdentityFile ~/.ssh/identity 
IdentityFile ~/.ssh/id_dsa 
IdentityFile ~/.ssh/id_rsal 
IdentityFile ~/.ssh/id_rsa2 

Port 22 

Protocol 2,1 

Cipher blowfish 

EscapeChar ~ 
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From what we can see, is that we have added a copy of the first configuration but have changed 
two important options. The “BatchMode yes” option allow to connect without a pass-phrase and 
the “Host 207.35.78.13” option specifies that only connection coming from IP address 
207.35.78.13 (this is the one that we will use with the scp command to transfer the backup 
files) is allowed to use this configuration where users can connect without a pass-phrase. The 
other settings are the same as for the original one. Finally we keep the original setting for regular 
connection to the server where pass-phrase is required. 


Step 4 
After that, we edit the /etc/ssh/sshd_config file on REMOTE again, and add to the 
“AllowUsers” option, our new SSH user to allow him to connect to the REMOTE server. 


e Edit the sshd_config file (vi /etc/ssh/sshd_config) on REMOTE server and 
change for example the following lines: 


AllowUsers gmourani 
To read: 
AllowUsers gmourani backadmin 


Here we add our user named “backadmin’” to the list of allowed user on the REMOTE host. 








NOTE: Step 1 to step 4 must be made on each servers from where you want to establish an 
encrypted remote connection without a pass-phrase to transfer backup over the network. 





Step 5 
Finally, everything is supposed to be fine now and we are ready to transfer backup over the 
network in a secure way. 


e Touse scp to copy a backup tape or file to a remote secure system, use the command: 
[backadmin@deep /]# sep <localdir/to/filelocation>\ 
<user@host:/dir/for/file> 


Where <localdir/to/filelocations> is the directory where your backup file resides on your 
LOCAL server, and <user@host:/dir/for/file> represents, in order, the username (user) 
of the person on the REMOTE site that will hold the backup file, the hostname (host) of the 
remote host where you want to send the backup file, and the remote directory of this host where 
you want to place the transferred backup file. 


A real example will look like this: 


[backadmin@deep /]# sep -Cp /backups/deep-01Feb.tar \ 
backadmin@backupserver: /archive/deep/deep-01Feb.tar 
deep-OlFeb.tgz | 10479 KB | 154.1 kB/s | ETA: 00:00:00 | 100% 





807 





Tar & Dump |3 
CHAPTER }1 








NOTE: The “c” option enables compression for fast data transfer over the encrypted session, the 
“p” option indicates that the modification and access times as well as modes of the source file 
should be preserved on the copy. This is usually desirable. It is important to note that the 
<dir/for/file> directory on the remote host (/archive/deep in our example) must be 
owned by the “username” you specify in your scp command (“admin” is this username in our 
example) or you may receive error message like: scp: /archive/deep/deep-01lFeb.tar: 


Permission denied. 








e Touse scp to copy a remote tape or file to the local system, use the command: 
[backadmin@deep /]# scp <user@host:/dir/for/file>\ 
<localdir/to/filelocation> 


Where <user@host:/dir/for/file> represents, in order, the username (user) of the person 
on the REMOTE site that holds the backup file, the hostname (host) of the REMOTE host where 
you want to get the backup file, and the REMOTE directory of this host where the backup file is 
kept, and <localdir/to/filelocation> is the LOCAL directory on your system where your 
want to place the backup file that you get from the REMOTE host. 


A real example would look like this: 


[backadmin@deep /]# scp -Cp admin@backupserver: /archive/deep/deep-— 
01Feb.tar /backups 

admin@backupserver's password: 

deep-0O1lFeb.tgz | 10479 KB | 154.1 kB/s | ETA: 00:00:00 | 100% 











NOTE: It is important to note that the <localdir/to/filelocation> directory on the LOCAL 
host (“/backups’” in our example) must be owned by the “username” you specify in your scp 
command (“admin’” is this username in our example) or you may receive an error message like: 
scp: /backups/deep-01lFeb.tar: Permission denied. 





Alternatives to tar and dump backups programs 


AMANDA 
AMANDA Homepage: http://www.cs.umd.edu/projects/amanda/ 


BRU 
BRU Homepage: http://www.bru.com/ 
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Tweaks, Tips and Administration tasks 


Some of the tips in this section are specific to Linux systems. Most are applicable to UNIX system 
in general. | make this section available since | think that it can be useful in daily administrative 
tasks from most of us. 


1.0 The du utility command 
You can use the du utility to estimate file soace usage. For example, to determine in megabyte 
the sizes of the /var/log and /home directories trees, type the following command: 


[root@deep /]# du -sh /var/log /home 
3.5M /var/log 
350M /home 


Keep in mind that the above command will report the actual size of your data. Now that you know 
for example that /home is using 350M you can move into it and du -sh * to locate where the 
largest files are. 


[root@deep /]# ed /home/ 
[root@deep /home]# du -sh * 


343 admin 

11k ftp 

6.8 httpd 

12k lost+found 
6.0k named 

6.0k smbclient 
6.0k test 

8.0k www 











NOTE: You can add this command to your crontab so that every day you get emailed the desired 
disk space list, and you'll be able to monitor it without logging in constantly. 





1.1 Find the route that the packets sent from your machine to a remote host 


If you want to find out the route that the packets sent from your machine to a remote host, simply 
issue the following command: 


[root@deep /]# traceroute www.redhat.com 
traceroute to www.portal.redhat.com (206.132.41.202), 30 hops max, 38 byte packets 
1 portal.openna.com (207.253.108.5) 98.584 ms 1519.806 ms 109.911 ms 
2 fa5-1-0.rb02-piex.videotron.net (207.96.135.1) 149.888 ms 89.830 ms 109.914 ms 
3 ia-tlpt-—bb01-fecl.videotron.net (207.253.253.53) 149.896 ms 99.873 ms 139.930 ms 
4 ia-cduc-bb02-ge2-0.videotron.net (207.253.253.61) 99.897 ms 169.863 ms 329.926 ms 
5 if-4-1.corel.Montreal.Teleglobe.net (207.45.204.5) 409.895 ms 1469.882 ms 109.902 ms 
6 if-1-1l.corel.NewYork.Teleglobe.net (207.45.223.109) 189.920 ms 139.852 ms 109.939 ms 
7 206.132.150.133 (206.132.150.133) 99.902 ms 99.724 ms 119.914 ms 
8 posl-0-2488M.wr2.CLEl.gblx.net (206.132.111.89) 189.899 ms 129.873 ms 129.934 ms 
9 pos8-0-2488m.kcyl.globalcenter.net (206.132.111.82) 169.890 ms 179.884 ms 169.933 ms 
10 206.132.114.77 (206.132.114.77) 199.890 ms 179.771 ms 169.928 ms 
11 pos8-0-2488M.wr2.SFO1l.gblx.net (206.132.110.110) 159.909 ms 199.959 ms 179.837 ms 
12 pos1-0-2488M.cr1.SNV2.gblx.net (208.48.118.118) 179.885 ms 309.855 ms 299.937 ms 
13. pos0-0-0-155M.hr2.SNV2.gblx.net (206.132.151.46) 329.905 ms 179.843 ms 169.936 ms 
14 206.132.41.202 (206.132.41.202) 2229.906 ms 199.752 ms 309.927 ms 











Where <www. redhat .com> is the name or ip address of the host that you want to trace. 
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1.2 Display the number of times your Web pages have been accessed: 
To display quickly the number of times your web page has been accessed use this command: 


[root@deep /]# grep "GET / HTTP" /var/log/httpd/access_log | we -1 
467 


1.3 Shut down most services altogether 
As root, you can shut down most services altogether with the following command: 


[root@deep /]# killall httpd smbd nmbd slapd named 

The above command will shut down the Apache server, Samba services, LDAP server, and DNS 
server respectively. 

1.4 Want a clock on the top of your terminal for all user? 


Edit the profile file (vi /etc/profile) and add the following line: 


PROMPT_COMMAND='echo -ne "\0337\033[2; 999r\033[1;1H\033[00; 44m\033 
[K"* date’ "\033[00m\0338"' 


The result will look like: 





1.5 Do you have 1sof installed on your server? 

If not, install it and execute 1sof —i. This should list which ports you have open on your 
machine. The Lsof program is a great tool as it will tell you which processes are listening on a 
given port. 


[root@deep /]# lsof -i 
COMMAND PID USER FD TYPE 
Inetd 344 root 4u 











iw) 


E VICE SIZE NODE NAME 
Pv4 Sai TCP *:ssh (LISTEN) 

















H 
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1.6 Run commands on remote servers via ssh protocol without logging in 

The ssh command can also be used to run commands on remote systems without logging in. 
The output of the command is displayed, and control returns to the local system. Here is an 
example which will display all the users logged in on the remote system. 


[admin@deep /]$ ssh boreas.openna.com who 
admin@boreas.openna.com's password: 

root ttyl Dec 2 14:45 

admin tty2 Dec 2 14:45 

wahib pts/0 Dec 2 11:38 


1.7 Filename Completion 

Tab filename completion allows you to type in portions of a filename or program, and then press 
[TAB], and it will complete the filename for you. If there's more than one file or program that 
starts with what you already typed in, it will beep, and then when you press [TAB] again it will list 
all the files that start with what you initially typed. 








NOTE: AFAIK, filename completion works only for bash by default but not for e.g. ksh. If you use 
ksh instead of bash as the command shell then to enable "Filename Completion" in ksh, you 
have to set the following: 


set -o vi-tabcomplete 





1.8 Special Characters 

You can quickly accomplish tasks that you perform frequently by using shortcut keys — one or 
more keys you press on the keyboard to complete a task. For example, special characters can be 
used on the Linux shell like the following: 


Control-d: If you are in the shell and hit cont ro1-d you get logged off. 
Control-1: If you are in the shell and hit cont rol-1 you clear the screen. 


? : This is a wildcard. This can represent a single character. If you specified something at the 
command line like "m?b" Linux would look for mob, mib, mub, and every other letter/number 
between a-z, 0-9. 


* : This can represent any number of characters. If you specified a "mi*" it would use mit, mim, 
miiii, miya, and ANYTHING that starts with “mi”. "m*1" could by mill, mull, ml, and 


Teel 


anything that starts with an “m’ and ends with an “1”. 
[] - Specifies a range. if | did m[o, u, i]m Linux would think: mim, mum, mon if | did: mfa-d]m 


Linux would think: mam, mbm, mcm, mdm. Get the idea? The [], ?, and * are usually used with 
copying, deleting, and directory listings. 
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NOTE: EVERYTHING in Linux is CASE sensitive. This means "Bil1" and "bi11" are not the 
same thing. This allows for many files to be able to be stored, since "Bill" "bill" "bI11" 
"biL1", etc. can be different files. So, when using the [] stuff, you have to specify capital letters 
if any files you are dealing with have capital letters. Much of everything is lower case in UNIX, 
though. 








1.9 Freeze a process ID temporally 

The UNIX kill command name is misleading: Only some incantations of the kil1 command 
actually terminate the target process. "kill -STOP" suspends the target process immediately 
and unconditionally. The process can still be resumed with "kill -CONT" as if nothing 
happened. This command can be useful when you want for example to freeze a suspicious 
process running on your system and conduct any further investigations at leisure. 


[root@deep /]# kill -STOP 401 
The above command will suspend the process ID 401, which is related to the sshd daemon on 


my running system. Of course the process number will be different on your server, therefore take 
this process number as an example only. 


[root@deep /]# kill -CONT 401 


The above command will resume the process ID 401, which is related to the sshd daemon on my 
running system. 
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This is a list of all Linux users around the world who have participated in the development of this 
book in a voluntary base by providing good comments, ideas, helps, suggestions, correction and 
any other information of this kind. To thanks them, | make this section available and list in a non- 


alphabetically order their names. Sorry if | left anyone out. 


Brain Jensen 
Rob Egelink 
John Constantine 
Carl Friedberg 
Bart Van Pelt 
Liang Ge 

lvan Darmawan 
Jerome Alet 
Arthur de Pauw 
Sigfus Oddsson 
Tim Stoop 

Wolf aliase Paul 
Pekka Saari 

P Tiili 

Catalin Russen 
Raphael Quoilin 
Bruce W. Mohler 
Eugene Teo 

Ivan Kolemanov 
Jorge Bianquetti 
Flavio Domingos 
Wolf 

Arthur de Pauw 
Carl Friedberg 
Brian Flemming Jensen 
Vinh Nguyen 

Xu Ying 

Syamsul Hidayat 
David Rousseau 
Madhusudan Madhu 
George Toft 
Werner Puschitz 
Mathieu Sebastien 
Chris de Vidal 


Naif 

ISM Kolemanor 
John Francis Lee 
Tim Groenwals 
Greg Walsh 
Shawn Duffy 
Hilton Travis 
Sylvain Rivest 
Timur Snoke 
Nelson 

Eric Gerbier 
Andre 

Peter 

Carlos A. Molina G 
J 

Paco Gracia 
Jame Saffeld 
Scott England-Sullivan 
Frederic Faure 
Teeguh Iskanto 
Sebastien Letard 
David Tillery 

Jim Cornelson 
Walker White 
John Crain 
Giuseppe 

Sinisa 

Charles Cosby 
Stapleton Bernard 
Neal Dias 

Nathan Hopper 
Olafur Gudmundsson 
Matt Roberts 


Sendy Harris 
Steve Snyder 
Mark Farey 

Ligu Song 

Jens Kerle 

Serge Rodrigues 
Oden Erikson 
Michael Moore 
Randy Jordan 
Radu Coroi 

Tou Brian 

Brian Richardson 
Mike Baker 

Fred Burke 

Tim Sandquist 
Rene Teinberg 
Bernhard Rosenkraenzer 
Gregory A Lundberg 
Andre Gerhard 
Matthias Zeichmann 
Neil W Rickert 
Mark.Andrews 
Erik Loeth 

David South Jr 
John LeRoy Crain 
Roberto Piola 
Oliver Enzmann 
Michael Brown 
La-Roque 

Colin Henry 

Hong Sukbum 
Brian Wellington 
Colin Henry 
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Obtaining Requests for Comments (RFCs) 


Requests for Comments (RFCs) is an ongoing set of documents issued by the Internet 
Engineering Task Force (IETF) at the Network Information Center (NIC) that presents new 
protocols and establishes standards for the Internet protocol suite. Each such document defines 
an aspect of protocol regarding the Internet. We have listed below all the RFCs that pertain to this 
book, and various software described in this book. RFCs are available from the following site: 


http://www.cis.ohio-state.edu/rfc/ 


RFC706 
On the Junk Mail Problem. 


RFC733 
Standard for the Format of ARPA Network Text Messages. 


RFC768 
User Datagram Protocol (UDP). 


RFC791 
Internet Protocol (IP). 


RFC792 
Internet Control Message Protocol (ICMP). 


RFC793 
Transmission Control Protocol (TCP). 


RFC805 
Computer Mail Meting Notes. 


RFC821 
Simple Mail Transfert Protocol (SMTP). 


RFC822 
Standard for the Format of ARPA Internet Text Massages. 


RFC934 
Proposed Standard for Message Encapsulation. 


RFC950 
IP Subnet Extention. 


RFC959 
File Transfer Protocol (FTP). 


RFC976 
UUCP Mail Interchange Format Standard. 


RFC1034 
Domain Names: Concepts and Facilities. 


RFC1036 
Standard for Interchange of USENET Message. 
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RFC1058 
Routing Information Protocol (RIP). 


RFC1112 
Internet Group Multicast Protocol (IGMP). 


RFC1122 
Requirement for Internet Host—Communication Layers. 


RFC1123 
Requirements for Internet Host—Application and Support. 


RFC1137 
Mapping Between Full RFC 822 and RFC 822 with Restricted Encoding. 


RFC1153 
Digest Message Format. 


RFC1155 
Structure of Management Information (SMI). 


RFC1157 
Simple Network Management Protocol (SNMP). 


RFC1176 
Interactive Mail Access Protocol: Version 2. 


RFC1274 
The COSINE and Internet X.500 Schema. 


RFC1275 
Replication Requirements to provide an Internet Directory using X.500. 


RFC1279 
X.500 and Domains. 


RFC1308 
Executive Introduction to Directory Services Using the X.500 Protocol. 


RFC1309 
Technical Overview of Directory Services Using the X.500 Protocol. 


RFC1310 
The Internet Standards Process. 


RFC1319 
MD2 Message-Digest Algorithm. 


RFC1320 
MD4 Message-Digest Algorithm. 


RFC1321 
MD5 Message-Digest Algorithm. 
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RFC1343 
User Agent Configuration Mechanism for Multimedia Mail Format Information. 


RFC1344 
Implications of MIME for Internet Mail Gateways. 


RFC1345 
Character Mnemonics and Character Sets. 


RFC1421 
Privacy Enhancement for Internet Electronic Mail: Part 1-Message Encipherment and 
authentication Procedures. 


RFC1422 
Privacy Enhancement for Internet Electronic Mail: Part II—Certificate-based key Management. 


RFC1423 
Privacy Enhancement for Internet Electronic Mail: Part III—Algorithms, modes, and identifiers 
[Draft]. 


RFC1428 
Transmition of Internet Mail from Just-Send-8 to 8bit-SMTP/MIME. 


RFC1430 
A Strategic Plan for Deploying an Internet X.500 Directory Service. 


RFC1492 
An Access Control Protocol, Sometimes Called TACACS. 


RFC1495 
Mapping Between X.400(1988)/ISO 10021 and RFC 822. 


RFC1496 
X.400 1988 to 1984 Downgrading. 


RFC1505 
Encoding Header Field for Internet Messages. 


RFC1510 
The Kerberos Network Authentication Service (V5). 


RFC1519 
Classless Inter-Domain Routing (CIDR) Assignment and Aggregation Strategy. 


RFC1521 
MIME (Multipurpose Internet Mail Extensions): Mechanisms for Specifying and Describing the 
Format of Internet Message Bodies (MIME). 


RFC1522 
Representation of Non-ASCIl Text in Internet Message Headers. 


RFC1558 
A String Representation of LDAP Search Filters. 


RFC1566 
Mail Monitoring MIB. 
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RFC1579 
Firewall-Friendly FTP. 


RFC1583 
Open Shortest Path First Routing V2 (OSPF2). 


RFC1617 
Naming and Structuring Guidelines for X.500 Directory Pilots. 


RFC1625 
WAIS over Z39.50-1988. 


RFC1631 
The IP Network Address Translator (NAT). 


RFC1652 
SMTP Service Extentions for 8bit-MIMEtransport. 


RFC1661 
Point-to-Point Protocol (PPP). 


RFC1711 
Classifications in E-mail Routing. 


RFC1725 
Post Office Protocol, Version 3 (POP)3. 


RFC1738 
Uniform Resource Locators (URL). 


RFC1739 
A Primer on Internet and TCP/IP Tools. 


RFC1777 
Lightweight Directory Access Protocol. 


RFC1778 
The String Representation of Standard Attribute Syntaxes. 


RFC1779 
A String Representation of Distinguished Names. 


RFC1781 
Using the OSI Directory to Achieve User Friendly Naming. 


RFC1796 
Not All RFCs are Standards. 


RFC1798 
Connection-less Lightweight Directory Access Protocol. 


RFC1823 
The LDAP Application Program Interface. 
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RFC1830 
SMTP Services Extentions for Transmission of Large and Binary MIME Messages. 


RFC1844 
Multimedia E-mail (MIME) User Agent checklist. 


RFC1845 
SMTP Service Extension for Checkpoint/Restart. 


RFC1846 
SMTP 521 Reply Code. 


RFC1854 
SMTP Service Extention for command pipelining. 


RFC1855 
Netiquette Guidelines. 


RFC1864 
The content-MD5 Header. 


RFC1866 
Hypertext Markup Language - 2.0. 


RFC1869 
SMTP Service Extensions. 


RFC1870 
SMTP Service Extension for Message Size Declaration. 


RFC1872 
The MIME Multipart/Related Content-type. 


RFC1873 
Message/External-Body Content-ID Access-type. 


RFC1883 
Internet Protocol, Version 6 (lpv6) Specification. 


RFC1884 
IP Version 6 Addressing Atchitecture. 


RFC1886 
DNS Extentions to support IP version 6. 


RFC1891 
SMTP Service Extension for Delivery Status Notifications. 


RFC1892 
The Multipart/Report Content Type for the Reporting of Mail System Administrative Messages. 


RFC1893 
Enhanced Mail System Status Codes. 


RFC1894 
An Extensible Message Format for Delivery Status Notifications. 
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RFC1918 
Address Allocation for Private Internets. 


RFC1928 
SOCKS Protocol Version 5. 


RFC1929 
Username/Password Authentication for SOCKS V5. 


RFC1959 
An LDAP URL Format. 


RFC1960 
A String Representation of LDAP Search Filters. 


RFC1961 
GSS-API Authentication Method for SOCKS Version 5. 


RFC2003 
IP Encapsulation within IP. 


RFC2028 
The Organizations Involved in the IETF Standards Process. 


RFC2044 
UTF-8, a transformation format of Unicode and ISO 10646. 


RFC2060 
Internet Message Access Protocol — Version 4rev1 (IMAP4). 


RFC2104 
HMAC: Keyed-Hashing for Message Authentication. 


RFC2138 
Remote Authentication Dial In User Service (RADIUS). 


RFC2164 
Use of an X.500/LDAP directory to support MIXER address mapping. 


RFC2200 
Internet Official Protocol Standards. 


RFC2218 
A Common Schema for the Internet White Pages Service. 


RFC2247 
Using Domains in LDAP/X.500 Distinguished Names. 


RFC2251 
Lightweight Directory Access Protocol (v3). 


RFC2252 
Lightweight Directory Access Protocol (v3): Attribute Syntax Definitions. 
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RFC2253 
Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names 


RFC2254 
The String Representation of LDAP Search Filters. 


RFC2255 
The LDAP URL Format. 


RFC2256 
A Summary of the X.500(96) User Schema for use with LDAPvs. 


RFC2279 
UTF-8, a transformation format of ISO 10646. 


RFC2293 
Representing Tables and Subtrees in the X.500 Directory. 


RFC2294 
Representing the O/R Address hierarchy in the X.500 Directory Information Tree. 


RFC2305 
A Simple Mode of Facsimile Using Internet Mail. 


RFC2307 
An Approach for Using LDAP as a Network Information Service. 
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The port numbers are divided into three ranges: the Well Known Ports, the Registered Ports, and 
the Dynamic and/or Private Ports. There are two series of ports, using two different protocols: 
TCP and UDP. They are different, although they can have the same port number. UDP ports 
can't be telneted. This appendix also includes a list of ports commonly used by Trojan horses. All 
open ports have a service or daemon running on it. A service or a daemon is nothing but the 
software running on these ports, which provide a certain service to the users who connect to it. 


You can find out the corresponding services running on them, referring to the table below or to 
the RFC 1700 (http://www.cis.ohio-state.edu/ric/), which contains the complete and updated list of 
Port Numbers and the corresponding popularly running services. 


Well Known Ports: 


The Well Known Ports are those from 0 through 1023 and are assigned by IANA (Internet 
Assigned Numbers Authority). For the latest status, please check at: http://www.iana.org/ 














Keyword Decimal Description Keyword Decimal Description 

O/tep Reserved opce-job-track 424/tcp IBM Operations 

0/udp Reserved opc-job-track 424/udp IBM Operations 
teopmux 1/tcp TCP Port Service icad-el 425/tep ICAD 
teopmux 1/udp TCP Port Service icad-el 425/udp ICAD 
compressnet 2/tep Management Utility smartsdp 426/tcp smartsdp 
compressnet 2/udp Management Utility smartsdp 426/udp smartsdp 
compressnet 3/tcp Compression Process svrloc 427/tep Server Location 
compressnet 3/udp Compression Process svrloc 427/udp Server Location 

4/tcp Unassigned ocs_cmu 428/tcp OCS_CMU 

4/udp Unassigned ocs_cmu 428/udp OCS_CMU 
rje 5/tcp Remote Job Entry ocs_amu 429/tcp OCS_AMU 
rje 5/udp Remote Job Entry ocs_amu 429/udp OCS_AMU 

6/tcp Unassigned utmpsd 430/tcp UTMPSD 

6/udp Unassigned utmpsd 430/udp UTMPSD 
echo T/tcp Echo utmpcd 431/tcp UTMPCD 
echo 7/udp Echo utmpcd 431/udp UTMPCD 

8/tcp Unassigned iasd 432/tcp TASD 

8/udp Unassigned iasd 432/udp TASD 
discard 9/tcp Discard nnsp 433/tcp NNSP 
discard 9/udp Discard nnsp 433/udp NNSP 

10/tcp Unassigned mobileip-agent 434/tcp MobileIP-Agent 

10/udp Unassigned mobileip-agent 434/udp MobileIP-Agent 
systat 11/tcp Active Users mobilip-mn 435/tcp MobilIP-MN 
systat 11/udp Active Users mobilip-mn 435/udp MobilIP-MN 

12/tcp Unassigned dna-cml 436/tcp DNA-CML 

12/udp Unassigned dna-cml 436/udp DNA-CML 
daytime 13/tcp Daytime (RFC 867) comscm 437/tcp comscm 
daytime 13/udp Daytime (RFC 867) comscm 437/udp comscm 

14/tcp Unassigned dsfgw 438/tcp dsfgw 

14/udp Unassigned dsfgw 438/udp dsfgw 

15/tep Unassigned dasp 439/tcp dasp 

15/udp Unassigned dasp 439/udp dasp 

16/tcp Unassigned sgcp 440/tcp sgcp 

16/udp Unassigned sgcp 440/udp sgcp 
gotd 17/tep Quote of the Day decvms-sysmgt 441/tcp decvms-sysmgt 
gotd 17/udp Quote of the Day decvms-sysmgt 441/udp decvms-sysmgt 
msp 18/tcp Message Send cvc_hostd 442/tcp cvc_hostd 
msp 18/udp Message Send cvc_hostd 442/udp cvc_hostd 
chargen 19/tep Character Generator https 443/tcp http proto TLS/sshL 
chargen 19/udp Character Generator https 443/udp http proto TLS/SSL 
ftp=data 20/tcp File Transfer snpp 444/tcp Simple Network 
ftp-data 20/udp File Transfer snpp 444/udp Simple Network 
ftp 21/tcp File Transfer microsoft—ds445/tcp Microsoft-—DS 
ftp 21/udp File Transfer microsoft—ds445/udp Microsoft—DS 
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ssh 
ssh 
telnet 
telnet 


smtp 
smtp 


nsw-fe 
nsw-fe 


msg-icp 
msg-icp 


msg-auth 
msg-auth 


dsp 
dsp 





time 

time 

rap 

rap 

rlp 

rlp 

# 

# 

graphics 
graphics 
nameserver 
nameserver 
nicname 
nicname 
mpm-flags 
mpm-flags 
mpm 

mpm 
mpm-snd 
mpm-snd 
ni-ftep 
ni-ftp 
auditd 
auditd 
tacacs 
tacacs 
re-mail-ck 
re-mail-ck 
la-maint 
la-maint 
xns-time 
xns-time 
domain 
domain 
xns-ch 
xns-ch 
isi-gl 
isi-gl 
xns-auth 
xns-auth 


# 














SSH Remote Login 

SSH Remote Login 
Telnet 

Telnet 

any private mail sys 
any private mail sys 
Simple Mail Transfer 
Simple Mail Transfer 
Unassigned 
Unassigned 

SW User System FE 
SW User System FE 
Unassigned 
Unassigned 

SG ICP 

SG ICP 

Unassigned 
Unassigned 

SG Authentication 
SG Authentication 
Unassigned 
Unassigned 

Display Support 
Display Support 
Unassigned 
Unassigned 

any private printer 
any private printer 
Unassigned 
Unassigned 

Time 

Time 

Route Access 

Route Access 
Resource Location 
Resource Location 
Unassigned 
Unassigned 

Graphics 

Graphics 

Host Name Server 
Host Name Server 

Who Is 

Who Is 

PM FLAGS Protocol 
PM FLAGS Protocol 
PM [recv] 

PM [recv] 

PM [default send] 
PM [default send] 

I FTP 

I FTP 

Digital Audit Daemon 
Digital Audit Daemon 
Login Host Protocol 
Login Host Protocol 
Remote Mail Checking 
Remote Mail Checking 
IMP 

P 

S Time Protocol 

S Time Protocol 
omain Name Server 
omain Name Server 

S Clearinghouse 

S Clearinghouse 

I Graphics Lang 
a8 
Ss 














Graphics Lang 

Authentication 
S Authentication 
rivate term access 








I 
Xx 
Xx 
D 
D 
x 
Xx 
I 
I 
4 
x 
P 











ddm-rdb 446/tcp 
ddm-rdb 446/udp 
ddm-dfm 447/tcp 
ddm-dfm 447/udp 
ddm-ssl 448/tcp 
ddm-ssl 448/udp 
as-servermap449/tcp 
as-servermap449/udp 
tserver 450/tcp 
tserver 450/udp 
sfs-smp-net 451/tcp 
sfs-smp-net 451/udp 
sfs-config 452/tcp 
sfs-config 452/udp 
creativeserver 

creativeserver 

contentserver 

contentserver 

creativepartnr 

creativepartnr 

macon-tcp 456/tcp 
macon-udp 456/udp 
scohelp 457/tcp 
scohelp 457/udp 
applegtc 458/tcp 
applegtc 458/udp 
ampr-remd 459/tcp 
ampr-remd 459/udp 
skronk 460/tcp 
skronk 460/udp 
datasurfsrv 461/tcp 
datasurfsrv 461/udp 


datasurfsrvsec 462/tcp 
datasurfsrvsec 462/udp 


alpes 463/tcp 
alpes 463/udp 
kpasswd 464/tcp 
kpasswd 464/udp 
# 465 

digital-vre 466/tcp 
digital-vre 466/udp 
mylex-mapd 467/tcp 
mylex-mapd 467/udp 
photuris 468/tcp 
photuris 468/udp 
rep 469/tcp 
rep 469/udp 
SCX-proxy 470/tcp 
mondex 471/tcp 
mondex 471/udp 
1jk-login 472/tcp 
1jk-login 472/udp 
hybrid-pop 473/tcp 
hybrid-pop 473/udp 
tn-tl-wl 474/tcp 
tn-tl-w2 474/udp 


tcpnethaspsrv 475/tcp 
tcpnethaspsrv 475/udp 











tn-tl-fdl 476/tcp 
tn-tl-fdl 476/udp 
ss7ns 477/tcp 
ss7ns 477/udp 
spsc 478/tcp 
spsc 478/udp 
iafserver 479/tcp 
iafserver 479/udp 
iafdbase 480/tcp 
iafdbase 480/udp 
ph 481/tcp 
ph 481/udp 
bgs-nsi 482/tcp 


453/tcp 
453/udp 
454/tcp 
454/udp 
455/tcp 
455/udp 
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DDM-RDB 

DDM-RDB 

DDM-RFM 

DDM-RFM 

DDM-SSL 

DDM-SSL 

AS Server Mapper 

AS Server Mapper 

TServer 

TServer 

Cray Network 

Cray Network 

Cray SFS config 

Cray SFS config 
CreativeServer 
CreativeServer 
ContentServer 
ContentServer 
CreativePartnr 
CreativePartnr 

macon-tcp 

macon-udp 

scohelp 

scohelp 

apple quick time 

apple quick time 

ampr-remd 

ampr-remd 

skronk 

skronk 

DataRampSrv 

DataRampSrv 
DataRampSrvSec 
DataRampSrvSec 

alpes 

alpes 

kpasswd 

kpasswd 

Unassigned 

digital-vre 

digital-vre 

mylex-mapd 

mylex-mapd 

proturis 

proturis 

Radio Control Proto 

Radio Control Proto 

SCX-Pproxy 

Mondex 

Mondex 

1jk-login 

1jk-login 

hybrid-pop 

hybrid-pop 

tn-tl-wl 

tn-tl-w2 

tcpnethaspsrv 

tcpnethaspsrv 

tna-tletal. 

tnetl-f£al. 

ss7ns 

ss7ns 

spsc 

spsc 

iafserver 

iafserver 

iafdbase 

iafdbase 

Ph service 

Ph service 

bgs-nsi 
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# 
xns-mail 
xns-mail 
# 

# 

# 

# 
ni-mail 
ni-mail 
acas 
acas 
whoist+ 
whoist+ 
covia 
covia 
tacacs-ds 
tacacs-ds 
sql*net 
sql*net 
bootps 
bootps 
bootpe 
bootpe 
tftp 
tftp 
gopher 
gopher 
netrjs-1 
netrjs-1 
netrjs-2 
netrjs-2 
netrjs-3 
netrjs-3 
netrjs—4 
netrjs—4 


deos 
deos 


vettcp 
vettcp 
finger 
finger 
http 


¢ 
xe) 


osts2—ns 
osts2-ns 
fer 

fer 
it-ml-dev 
it-ml-dev 





it-ml-dev 





He BBS RB AABBKX KO DS 


kerberos 
kerberos 
su-mit-tg 
su-mit-tg 
dnsix 
dnsix 
mit-—dov 
mit—dov 
npp 

npp 


57/ 
58/ 
58/ 
59/ 
59/ 
60/ 
60/ 
61/ 
61/ 
62/ 
62/ 
63/ 
63/ 
64/ 
64/ 
65/ 
65/ 
66/ 
66/ 
67/ 
67/ 
68/ 
68/ 
69/ 
69/ 
70/ 
70/ 
71/ 
71/ 
72/ 
72/ 
73/ 
73/ 
74/ 
74/ 
eisys 
ot 
76/ 
76/ 
77/ 
77/ 
78/ 
78/ 
79/ 
79/ 
80/ 
80/ 
81/ 
81/ 
82/ 
82/ 
83/ 
83/ 
84/ 
84/ 
85/ 
85/ 
86/ 
86/ 
87/ 
87/ 
88/ 
88/ 
89/ 
89/ 
90/ 
90/ 
91/ 
Of: 
92/ 
92/ 


udp 
Eep 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 














Private term 
XNS Mail 

XNS Mail 
Private file 
Private file 
Unassigned 
Unassigned 
NI MAIL 

NI MAIL 

ACA Services 
ACA Services 


access 


service 
service 


whoist+ 
whoist+ 
Com Integrator (CI) 
Com Integrator (CI) 


TACACS-Database Serv 
TACACS-Database Serv 
Oracle SQL*NET 
Oracle SQL*NET 
Bootstrap Server 
Bootstrap Server 
Bootstrap Client 
Bootstrap Client 
Trivial File Trans 
Trivial File Trans 
Gopher 
Gopher 
Remote 
Remote 
Remote 
Remote 
Remote 
Remote 


Job 
Job 
Job 
Job 
Job 
Job 


Service 
Service 
Service 
Service 
Service 
Service 
Remote Job Service 
Remote Job Service 
Private dial out 
Private dial out 
ExternalObject Store 
ExternalObject Store 
Private RJE service 
Private RJE service 
vettcp 

vettcp 

Finger 

Finger 

World Wide Web HTTP 
World Wide Web HTTP 
HOSTS2 Name Server 
OSTS2 Name Server 
XFER Utility 

XFER Utility 

IT ML Device 

IT ML Device 
CommonTrace Facility 
CommonTrace Facility 
IT ML Device 

IT ML Device 

icro Focus Cobol 
icro Focus Cobol 
Private term link 
Private term link 
Kerberos 

Kerberos 
SU/MITTelnet Gateway 
SU/MITTelnet Gateway 
DNSIX 

DNSIX 

MIT Dover Spooler 
MIT Dover Spooler 
Network Printing 
Network Printing 














bgs-nsi 482/ud 
ulpnet 483/tc 
ulpnet 483/ud 
integra-sme 484/tc 
integra-sme 484/ud 
powerburst 485/tc 
powerburst 485/ud 
avian 486/tc 
avian 486/ud 
saft 487/tc 
saft 487/ud 
gss-http 488/tc 
gss-http 488/ud 
nest-protocol 48 
nest-protocol 48 
micom-pfs 490/tc 
micom-pfs 490/ud 
go-login 491/tc 
go-login 491/ud 
tict-1 492/tc 
ticf-1 492/ud 
ticf-2 493/tc 
ticf-2 493/ud 
pov-ray 494/tc 
pov-ray 494/ud 
intecourier 495/tc 
intecourier 495/ud 
pim-rp-disc 496/tc 
pim-rp-disc 496/ud 
dantz 497/tc 
dantz 497/ud 
siam 498/tc 
siam 498/ud 
iso-ill 499/tc 
iso-ill 499/ud 
isakmp 500/tc 
isakmp 500/ud 
stmt 501/tc 
stmt 501/ud 


asa-appl-proto 50 
asa-appl-proto 50 


intrinsa 
intrinsa 
citadel 
citadel 
mailbox-lm 
mailbox-lm 
ohimsrv 
ohimsrv 
crs 

ers 
xvttp 
xvttp 
snare 
snare 
fcp 

fcp 
passgo 
passgo 
exec 
comsat 
biff 
login 
who 
shell 
syslog 
printer 
printer 
videotex 
videotex 
talk 


503/tc 
503/ud 
504/tc 
504/ud 
505/tc 
505/ud 
506/tc 
506/ud 
507/tc 
507/ud 
508/tc 
508/ud 
509/tc 
509/ud 
510/tc 
0/ud 
1l/tc 
1/ud 
2/tc 
2/ud 
2/ud 
3/te 
3/ud 
4/tc 
4/ud 
5/tc 
5/ud 
6/tc 
6/ud 
T/te 
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9/tcp 
9/udp 


2/tcp 
2/udp 


Port list 
APPENDIX |D 


bgs-nsi 

ulpnet 

ulpnet 

Integra Software 

Integra Software 

Air Soft Power Burst 

Air Soft Power Burst 

avian 

avian 

saft 

saft 

gss-http 

gss-http 
nest-protocol 
nest-protocol 

micom-pfs 

micom-pfs 

go-login 

go-login 

Transport 

Transport 

Transport 

Transport 

POV-Ray 

POV-Ray 

intecourier 

intecourier 

PIM-RP-DISC 

PIM-RP-DIS 

dantz 

dantz 

siam 

siam 

ISO ILL Protocol 

ISO ILL Protocol 

isakmp 

isakmp 

STMF 

STMF 
asa-appl-proto 
asa-appl-proto 

Intrinsa 

Intrinsa 

citadel 

citadel 

mailbox-lm 

mailbox-lm 

ohimsrv 

ohimsrv 

ers 

crs 

xvttp 

xvttp 

snare 

snare 

FirstClass Protocol 

FirstClass Protocol 

PassGo 

PassGo 

remote process exec 


FNA 
FNA 
FNA 
FNA 


for 
for 
for 
for 


used by mail system 
remote login 
maintains data bases 
cmd 


spooler 
spooler 
videotex 
videotex 
like tenex 
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dcp 

dcp 
objcall 
objcall 
supdup 
supdup 
dixie 
dixie 
swift-rvf 
swift-rvf 
tacnews 
tacnews 
metagram 
metagram 
newacct 
hostname 
hostname 
iso-tsap 
iso-tsap 
gppitnp 
gppitnp 
acr-nema 
acr-nema 
cso 

cso 
csnet-ns 
csnet-ns 
3com-tsmux 
3com-tsmux 
rtelnet 
rtelnet 
snagas 
snagas 
pop2 

pop2 

pop3 

pop3 
sunrpc 
sunrpc 
mcidas 
mcidas 
ident 
auth 

auth 
audionews 
audionews 
sftp 

sftp 
ansanotify 
ansanotify 
uucp-path 
uucp-path 
sqlserv 
sqlserv 
nntp 

nntp 
cfdptkt 
cfdptkt 
erpc 

erpc 
smakynet 
smakynet 
ntp 

ntp 
ansatrader 
ansatrader 
locus-map 
locus-map 
nxedit 
nxedit 
#unitary 


93/tcp 

93/udp 

94/tcp 

94/udp 

95/tcp 

95/udp 

96/tcp 

96/udp 

97/tcp 

97/udp 

98/tcp 

98/udp 

99/tcp 

99/udp 

100/tcp 
101/tcp 
101/udp 
102/tcp 
102/udp 
103/tcp 
103/udp 
104/tcp 
104/udp 
105/tcp 
105/udp 
105/tcp 
105/udp 
106/tcp 
106/udp 
107/tcp 
107/udp 
108/tcp 
108/udp 
109/tcp 
109/udp 
110/tcp 
110/udp 
111/tcp 
111/udp 
112/tcp 
112/udp 
Li3ftep 
113/tep 
113/udp 
114/tcp 
114/udp 
LAS Peep 
115/udp 
116/tcp 
116/udp 
117/tcp 
117/udp 
118/tcp 
118/udp 
119/tcp 
UIP actel =) 
120/tcp 
120/udp 
121/tcp 
121/udp 
122/tcp 
122/udp 
123/tep 
123/udp 
124/tcp 
124/udp 
125/tcp 
125/udp 
126/tcp 
126/udp 
126/tcp 














Control 
Control 
Object 
Object 


Device 
Device 
Tivoli 
Tivoli 
SUPDUP 
SUPDUP 
DIXIE 
DIXIE 
Swift 
Swift 
TAC News 

TAC News 

Metagram Relay 
Metagram Relay 
[unauthorized use] 
NIC Host Name Server 
NIC Host Name Server 
ISO-TSAP Class 0 
ISO-TSAP Class 0 
Genesis Trans Net 
Genesis Trans Net 
ACR-NEMA Digital 
ACR-NEMA Digital 
CCSO name server 
CCSO name server 
Mailbox Nameserver 
Mailbox Nameserver 
3COM-TSMUX 
3COM-TSMUX 

Remote Telnet 

Remote Telnet 


Specification 
Specification 
Remote 
Remote 





SNA 
SNA 
Post Office - V2 
Post Office - V2 
Post Office - V3 
Post Office - V3 


SUN Remote Proc Call 
SUN Remote Proc Call 
McIDAS 
McIDAS 


Auth Service 

Auth Service 

Audio News Multicast 
Audio News Multicast 
Simple FTP 

Simple FTP 

ANSA REX Notify 
ANSA REX Notify 

UUCP Path Service 
UUCP Path Service 
SQL Services 

SQL Services 

NNTP 

NNTP 

CFDPTKT 

CFDPTKT 

Remote Pro.Call 
Remote Pro.Call 
SMAKYNET 

SMAKYNET 

Network Time Proto 
Network Time Proto 
ANSA REX Trader 
ANSA REX Trader 
Locus Net Map Ser 
Locus Net Map Ser 
NXEdit 

NXEdit 

Unisys Unitary Login 





talk 

ntalk 
ntalk 
utime 
utime 

efs 

router 
ripng 
ripng 

ulp 

ulp 
ibm-db2 
ibm-db2 
ncp 

ncp 

timed 
timed 
tempo 
tempo 

stx 

stx 

custix 
custix 
irc-serv 
irc-serv 
courier 
courier 
conference 
conference 
netnews 
netnews 
netwall 
netwall 
mm-admin 
mm-admin 
iiop 

iiop 
opalis-rdv 
opalis-rdv 
nmsp 

nmsp 
gdomap 
gdomap 
apertus-—ldp 
apertus-—ldp 
uucp 

uucp 
uucp-rlogin 
uucp-rlogin 
commerce 
commerce 
klogin 
klogin 
kshell 
kshell 


appleqtcsrvr 
appleqtcsrvr 
dhepvé-client 
dhepvé-client 
dhcpv6-server 
dhcpv6-server 


afpovertcp 
afpovertcp 
idfp 

idfp 
new-rwho 
new-rwho 
cybercash 
cybercash 
deviceshare 
deviceshare 


517/ud 
518/tc 
518/ud 
519/tc 
519/ud 
520/tc 
520/ud 
521/tc 
521/ud 
522/te 
522/ud 
523/tc 
523/ud 
524/tc 
524/ud 
525/tc 
525/ud 
526/tc 
526/ud 
527/tc 
527/ud 
528/tc 
528/ud 
529/tc 
529/ud 
530/tc 
530/ud 
531/te 
531/ud 
532/tc 
532/ud 
533/tc 
533/ud 
534/tc 
534/ud 
535/tc 
535/ud 
536/tc 
536/ud 
537/tc 
537/ud 
538/tc 
538/ud 
539/tc 
539/ud 
540/tc 
540/ud 
541/tc 
541/ud 
542/tc 
542/ud 
543/tc 
543/ud 
544/tc 
544/udp 
545/tcp 
545/udp 
546/tcp 
546/udp 
547/tcp 
547/udp 
548/tcp 
548/ud 
549/tc 
549/ud 
550/tc 
550/ud 
951 /tC 
551/ud 
552/tc 
552/ud 
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Br OO Oe Oe 


Port list 
APPENDIX |D 


like tenex 


unixtime 

unixtime 

extended file name 
routing process 
ripng 

ripng 

ULP 

ULP 

IBM-DB2 

IBM-DB2 

NCP 

NCP 

Timeserver 
Timeserver 

Newdate 

Newdate 

Stock IxXChange 
Stock IxXChange 
Customer IXChange 
Customer IXChange 
IRC-SERV 
IRC-SERV 
rpc 

rpc 

chat 

chat 
readnews 
readnews 
Emergency 
Emergency 
MegaMedia 
MegaMedia 
iiop 

iiop 
opalis-rdv 
opalis-rdv 
Media Streaming 
Media Streaming 
gdomap 

gdomap 

Apertus Technologies 
Apertus Technologies 
uucpd 

uucpd 

uucp-rlogin 
uucp-rlogin 

commerce 

commerce 





broadcasts 
broadcasts 
Admin 
Admin 


kroemd 

kremd 
appleqtcsrvr 
appleqtcsrvr 
DHCPv6 Client 
DHCPv6 Client 
DHCPv6 Server 
DHCPv6 Server 

AFP over TCP 

AFP over TCP 

IDFP 

IDFP 

new-who 

new-who 

cybercash 

cybercash 

deviceshare 

deviceshare 


829 


#unitary 
locus-con 
locus-con 
gss-xlicen 
gss-xlicen 
pwdgen 
pwdgen 
cisco-ina 
cisco-fna 
cisco-tna 
cisco-tna 
cisco-sys 
cisco-sys 
statsrv 
statsrv 
ingres-net 
ingres-net 
epmap 
epmap 
profile 
profile 
netbios-ns 
netbios-ns 
netbios-—dgm 
netbios-—dgm 
netbios-ssn 
netbios-ssn 
emfis-—data 
emfis-—data 
emfis-cntl 
emfis-cntl 
bl-idm 
bl-idm 
imap 

imap 

uma 

uma 

uaac 

uaac 
iso-tp0 
iso-tp0 
iso-ip 
iso-ip 
jargon 
jargon 
aed-512 
aed-512 
sql-net 
sql-net 
hems 

hems 

bftp 

bftp 

sgmp 

sgmp 
netsc-prod 
netsc-prod 
netsc-dev 
netsc-dev 
sqlsrv 
sqlsrv 
knet-cmp 
knet-—cmp 
pemail-srv 
pemail-srv 
nss-routing 
nss-routing 
sgmp-traps 
sgmp-traps 
snmp 

snmp 





126/udp 
127/tecp 
127/udp 
128/tcp 
128/udp 
129/tcp 
129/udp 
130/tcp 
130/udp 
131/tcp 
131/udp 
132/tep 
132/udp 
133/tcp 
133/udp 
134/tcp 
134/udp 
135/tcp 
135/udp 
136/tcp 
136/udp 
137 /eep 
137/udp 
138/tcp 
138/udp 
139/tcp 
139/udp 
140/tcp 
140/udp 
141/tcp 
141/udp 
142/tcp 
142/udp 
143/tcp 
143/udp 
144/tcp 
144/udp 
145/tcp 
145/udp 
146/tcp 
146/udp 
147/tcp 
147/udp 
148/tcp 
148/udp 
149/tcp 
149/udp 
150/tcp 
150/udp 
151/tcp 
151/udp 
152/tcp 
152/udp 
153/tcp 
153/udp 
154/tcp 
154/udp 
155/tcp 
155/udp 
156/tcp 
156/udp 
157/tcp 
157/udp 
158/tcp 
158/udp 
159/tcp 
159/udp 
160/tcp 
160/udp 
161/tcp 
161/udp 

















Unisys Unitary Login 
Locus Conn Server 
Locus Conn Server 
GSS X Verification 
GSS X Verification 
Password Generator 
Password Generator 
cisco FNATIVE 

cisco FNATIVE 

cisco TNATIVE 

cisco TNATIVE 

cisco SYSMAINT 

cisco SYSMAINT 
Statistics Service 
Statistics Service 
INGRES-NET Service 
INGRES-NET Service 
DCE 

DCE 
PROFILE 
PROFILE 
NETBIOS 
NETBIOS 
NETBIOS 
NETBIOS 


Naming Sys 
Naming Sys 
Name Serv 
Name Serv 
Data Serv 
Data Serv 
NETBIOS Session Serv 
NETBIOS Session Serv 
FIS Data Serv 
FIS Data Serv 
FIS Control Serv 
FIS Control Serv 
ritton-Lee IDM 
ritton-Lee IDM 

[AP Protocol 

[AP Protocol 

[A Protocol 

A Protocol 

UAAC Protocol 

UAAC Protocol 
ISO-IPO 

ISO-IPO 

ISO-IP 

ISO-IP 

Jargon 

Jargon 

AED 512 Emulation 
AED 512 Emulation 
SQL-NET 

SOQL-NET 

HEMS 

HEMS 

Background FTP 
Background FTP 
SGMP 

SGMP 

ETSC 

ETSC 

ETSC 

ETSC 

SQL Service 

SQL Service 
KNET/VM Protocol 
KNET/VM Protocol 
PCMail Server 
PCMail Server 
SS-Routing 
SS-Routing 
SGMP-TRAPS 
SGMP-TRAPS 

SNMP 

SNMP 


GQHHUDUHAAAe 

















pirp 

pirp 

rtsp 

rtsp 

dst 

dst 

remotefs 
remotefs 
openvms-sysi 
openvms-sysi 
sdnskmp 
sdnskmp 
teedtap 
teedtap 
rmonitor 
rmonitor 
monitor 
monitor 
chshell 
chshell 
nntps 

nntps 

9pfs 

9pfs 

whoami 
whoami 
streettalk 
streettalk 
banyan-rpc 
banyan-rpc 
ms-shuttle 
ms-shuttle 
ms—rome 
ms—rome 
meter 

meter 

meter 

meter 

sonar 

sonar 
banyan-vip 
banyan-vip 
ftp-agent 
ftp-agent 
vemmi 

vemmi 

iped 

ipcd 

vnas 

vnas 

ipdd 

ipdd 

decbsrv 
decbsrv 
sntp-heartbe 
sntp-heartbe 
bdp 

bdp 
scc-security 
scc-security 
philips-vc 
philips-ve 
keyserver 
keyserver 
imap4-ssl 
imap4-ssl 
password-chg 
password-chg 
submission 
submission 
cal 





553/tc 
553/ud 
554/tc 
554/ud 
555/tc 
555/ud 
556/tc 
556/ud 
pe 557/tcp 
pe 557/udp 
558/tcp 
558/ud 
559/tc 
559/ud 
560/tc 
560/ud 
561/tc 
561/ud 
562/tc 
562/ud 
563/tc 
563/ud 
564/tc 
564/ud 
565/tc 
565/ud 
566/tc 
566/ud 
567/tc 
567/ud 
568/tc 
568/ud 
569/tc 
569/ud 
570/tc 
570/ud 
Sale ie 
571/ud 
572/tc 
572/ud 
S237tC 
573/ud 
574/tc 
574/ud 
575/te 
575/ud 
576/tc 
576/ud 
577/te 
577/ud 
578/tc 
578/ud 
579/tc 
579/ud 
at 580/tcp 
at 580/udp 
581/tcp 
581/udp 
582/tcp 
582/udp 
583/tcp 
583/udp 
584/tcp 
p 

p 


oe TO OO 


De ON ee ee ee Re TO a TE TR a 


584/ud 
585/tc 
585/udp 
586/tcp 
586/udp 
587/tcp 
587/udp 
588/tcp 








Port list 
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pirp 

pirp 

Real Time Stream 
Real Time Strea 


server 
server 
openvms-sysipc 
openvms-sysipc 
SDNSKMP 

SDNSKMP 

TEEDTAP 

TEEDTAP 

rmonitord 
rmonitord 


chemd 
chemd 
nntp over TLS/SSL 
nntp over TLS/SSL 
plan 9 file service 
plan 9 file service 
whoami 
whoami 
streettalk 
streettalk 
banyan-rpc 
banyan-rpc 
microsoft 
microsoft 
microsoft 
microsoft 
demon 
demon 
udemon 
udemon 
sonar 
sonar 
banyan-vip 
banyan-vip 
FIP Software Agent 
FTP Software Agent 
VEMMI 
VEMMI 
ipced 
ipced 
vnas 
vnas 
ipdd 
ipdd 
decbsrv 
decbsrv 
SNTP HEARTBEAT 
SNTP HEARTBEAT 
Bundle Discovery 
Bundle Discovery 
SCC Security 
SCC Security 
Philips Video 
Philips Video 
Key Server 
Key Server 
IMAP 4+SSL 
IMAP 4+SSL 
Password Change 
Password Change 
Submission 
Submission 
CAL 


shuttle 
shuttle 
rome 
rome 


830 


snmptrap 
snmptrap 
cmip-man 
cmip-man 
cmip-agent 
smip-agent 
xns-courier 
xns-courier 
s-net 
s-net 

namp 

namp 

rsvd 

rsvd 

send 

send 
print-srv 
print-srv 
multiplex 
multiplex 
cone ai 

evar aal 
xyplex-mux 
xyplex-mux 
mailg 
mailgq 
vmnet 
vmnet 
genrad-mux 
genrad-mux 
xdmcp 
xdmcp 
nextstep 
nextstep 
bgp 

bgp 

ris 

ris 

unify 
unify 
audit 
audit 
ocbinder 
ocbinder 
ocserver 
ocserver 
remote-kis 
remote-kis 
kis 

kis 

aci 

aci 

mumps 
mumps 

qft 

qft 

gacp 

gacp 
prospero 
prospero 
osu-nms 
osu-nms 
srmp 

srmp 

irc 

plato) 
dn6-nlm-aud 
dn6-nlm-aud 
dn6-smm-red 
dn6-smm-red 
dls 


162/ 
162/ 
163/ 
163/ 
164/ 
164/ 
165/ 
165/ 
166/ 
166/ 
167/ 
167/ 
168/ 
168/ 
169/ 
169/ 
170/ 
170/ 
171/ 
171/ 
172/ 
172/ 
173/ 
173/ 
174/ 
174/ 
175/ 
175/ 
176/ 
176/ 
Hl ee A 
ie AB 
178/ 
178/ 
179/ 
179/ 
180/ 
180/ 
181/ 
181/ 
182/ 
182/ 
183/ 
183/ 
184/ 
184/ 
185/ 
185/ 
186/ 
186/ 
187/ 
187/ 
188/ 
188/ 
189/ 
189/ 
190/ 
190/ 
191/ 
191/ 
192/ 
192/ 
193/ 
193/ 
194/ 
194/ 
195/ 
195/ 
196/ 
196/ 
197/ 


tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
ep 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
Eep 
udp 
tcp 
udp 
wep 























SNMP TRAP 
SNMP TRAP 
CMIP/TCP Manager 
CMIP/TCP Manager 
CMIP/TCP Agent 
CMIP/TCP Agent 
Xerox 
Xerox 
Sirius Systems 
Sirius Systems 
NAMP 
NAMP 
RSVD 
RSVD 
SEND 
SEND 
etwork PostScript 
etwork PostScript 
etwork Innovations 
etwork Innovations 
etwork Innovations 
etwork Innovations 
Xyplex 
Xyplex 
AITLO 
AILO 
VMNET 
VMNET 
GENRAD-MUX 
GENRAD-MUX 


X Display Manager 

X Display Manager 
NextStep Win Server 
NextStep Win Server 
Border Gateway 
Border Gateway 
Intergraph 
Intergraph 

Unify 

Unify 

Unisys Audit SITP 
Unisys Audit SITP 
OCcBinder 

OcBinder 

OoCServer 

OCServer 

Remote-KIS 
Remote-KIS 

KIS Protocol 

KIS Protocol 

App Communication 
App Communication 
Plus Five's MUMPS 
Plus Five's MUMPS 
Queued File Trans 
Queued File Trans 
Gateway Acc Control 
Gateway Acc Control 
Prospero Directory 
Prospero Directory 
Net Monitoring Sys 
Net Monitoring Sys 
Spider Monitoring 
Spider Monitoring 
Internet Relay Chat 
Internet Relay Chat 
DNSIX Module Audit 
DNSIX Module Audit 
DNSIX Session Mgt 
DNSIX Session Mgt 
Directory Location 























cal 588/udp 
eyelink 589/tcp 
eyelink 589/udp 
tns-cml 590/tcp 
tns-cml 590/udp 
http-alt 591/tcp 
http-alt 591/udp 
eudora-set 592/tcp 
eudora-set 592/udp 
http-rpc-epmap 593/tc 
http-rpc-epmap 593/ud 
tpip 594/tcp 
tpip 594/udp 
cab-protocol 595/tc 
cab-protocol 595/ud 
smsd 596/tcp 
smsd 596/udp 
ptcnameservice 597/tc 
ptcnameservice 597/ud 
sco-websrvrmg3 598/tc 
sco-websrvrmg3 598/ud 
acp 599/tcp 
acp 599/udp 
ipcserver 600/tcp 
ipcserver 600/udp 
# 601-605 
urm 606/tcp 
urm 606/udp 
nqs 607/tcp 
nqs 607/udp 
sift-uft 608/tcp 
sift-uft 608/udp 
npmp-trap 609/tcp 
npmp-trap 609/udp 
npmp-local 610/tcp 
npmp-local 610/udp 
npmp-gui 611/tcp 
npmp-gui 611/udp 
hmmp-ind 612/tcp 
hmmp-ind 612/udp 
hmmp-op 613/tcp 
hmmp-op 613/udp 
sshell 614/tcp 
sshell 614/udp 
sco-inetmgr 615/tcp 
sco-inetmgr 615/udp 
sco-sysmgr 616/tcp 
sco-sysmgr 616/udp 
sco-dtmgr 617/tcp 
sco-dtmgr 617/udp 
dei-icda 618/tcp 
dei-icda 618/udp 
digital-evm 619/tcp 
digital-evm 619/udp 











CAL 

EyeLink 
EyeLink 
TNS CML 
TNS CML 


Port list 
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FileMaker 
FileMaker 
Eudora Set 
Eudora Set 


PEP 
TPIP 
CAB 


0 





SCO 


p HTTP RPC Ep Map 
p HTTP RPC Ep Map 


Protocol 
Protocol 


Name Service 
Name Service 
Web Server 
Web Server 


Aeolon Core Protocol 
Aeolon Core Protocol 
Sun IPC server 
Sun IPC server 
Unassigned 
Cray Unified 
Cray Unified 
nqs 
nqs 
sender Init/Unsolici 
Sender-Init/Unsolici 
npmp-trap 
npmp-trap 
npmp-local 
npmp-local 
npmp-gui 
npmp-gui 
HMMP Indication 

P Indication 
HMMP Operation 
HMMP Operation 
SSLshell 
SSLshell 
Internet Config Man 
Internet Config Man 
SCO System Admin 
SCO System Admin 
SCO Desktop Admin 
SCO Desktop Admin 
DEI-ICDA 
DEI-ICDA 
Digital EVM 
Digital EVM 








sco-websrvrmgr 620/tcp SCO WebServer 
sco-websrvrmgr 620/udp SCO WebServer 
escp-ip o2lftep ESCP 

escp-ip 621/udp ESCP 

collaborator 622/tcp Collaborator 
collaborator 622/udp Collaborator 
aux_bus_shunt 623/tcp Aux Bus Shunt 
aux_bus_shunt 623/udp Aux Bus Shunt 
cryptoadmin 624/tcp Crypto Admin 
cryptoadmin 624/udp Crypto Admin 
dec_dlm 625/tcp DEC DLM 

dec_dlm 625/udp DEC DLM 

asia 626/tcp ASIA 

asia 626/udp ASIA 

passgo-tivoli 627/tcp PassGo Tivoli 
passgo-tivoli 627/udp PassGo Tivoli 
qmqp 628/tcp QMQP 


831 


t-8 





ipx 
vmpWwscs 
vmpwscs 
softpce 
softpce 
CAIlic 
CAIlic 
dbase 
dbase 

mpp 

mpp 

uarps 
uarps 
imap3 
imap3 
fln-spx 
fln-spx 
rsh-spx 
rsh-spx 
cdc 

cdc 
masqdialer 
masqdialer 
# 

direct 
direct 
sur-meas 
sur-meas 
inbusiness 
inbusiness 
link 

link 
dsp3270 
dsp3270 


subntbcst_tftp 
subntbcst_tftp 


bhfhs 
bhfhs 
# 


197/ 
198/ 
198/ 
199/ 
199/ 
200/ 
200/ 
201/ 
201/ 
202/ 
202/ 
203/ 
203/ 
204/ 
204/ 
205/ 
205/ 
206/ 
206/ 
207/ 
207/ 
208/ 
208/ 
209/ 
209/ 
210/ 
210/ 
211/ 
211/ 
212/ 
212/ 
213/ 
213/ 
214/ 
214/ 
21.57: 
215/ 
216/ 
216/ 
217/ 
217/ 
218/ 
218/ 
219/ 
219/ 
220/ 
220/ 
221/ 
221/ 
222/ 
222/ 
223/ 
223/ 
224/ 
224/ 
22> 
242/ 
242/ 
243/ 
243/ 
244/ 
244/ 
245/ 
245/ 
246/ 
246/ 


248/ 
248/ 
249- 





udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
top 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
241 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 











247/tcp 
247/udp 


tcp 
udp 
285 


Directory Location 
Directory Location 
Directory Location 
SMUX 

SMUX 

IBM System Resource 
IBM System Resource 
AppleTalk Routing 
AppleTalk Routing 
AppleTalk Name 
AppleTalk Name 
AppleTalk Unused 
AppleTalk Unused 





AppleTalk Echo 
AppleTalk Echo 
AppleTalk Unused 
AppleTalk Unused 
AppleTalk Zone 
AppleTalk Zone 
AppleTalk Unused 
AppleTalk Unused 
AppleTalk Unused 





AppleTalk Unused 

Quick Mail Transfer 

Quick Mail Transfer 

ANSI 239.50 

ANSI 239.50 

Texas Instruments 

Texas Instruments 

ATEXSSTR 

ATEXSSTR 

IPX 

IPX 

VM PWSCS 

VM PWSCS 

Insignia Solutions 

Insignia Solutions 

Computer Associates 

Computer Associates 

dBASE Unix 

dBASE Unix 

Netix Message Post 

Netix Message Post 

Unisys ARPs 

Unisys ARPs 

IMAP v3 

IMAP v3 

Berkeley rlogind 

Berkeley rlogind 

Berkeley rshd 

Berkeley rshd 

Certificate Distrib 

Certificate Distrib 

masqdialer 

masqdialer 

Reserved 

Direct 

Direct 

Survey Measurement 

Survey Measurement 

inbusiness 

inbusiness 

LINK 

LINK 

Display Systems 

Display Systems 
SUBNTBCST_TFTP 
SUBNTBCST_TFTP 

bhfhs 

bhfhs 

Reserved 











Port list 
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qmap 628/udp QMQP 

3com-amp3 629/tcp 3Com AMP3 

3com-amp3 629/udp 3Com AMP3 

rda 630/tcp RDA 

rda 630/udp RDA 

ipp 631/tcp Internet Printing 
ipp 631/udp Internet Printing 
bmpp 632/tcp bmpp 

bmpp 632/udp bmpp 

servstat 633/tcp Service Status update 
servstat 633/udp Service Status update 
ginad 634/tcp ginad 

ginad 634/udp ginad 

rlzdbase 635/tcp RLZ DBase 

rlzdbase 635/udp RLZ DBase 

ldaps 636/tcp ldap protocol TLS/SSL 
ldaps 636/udp ldap protocol TLS/SSL 
lanserver 637/tcp lanserver 

lanserver 637/udp lanserver 

mcns-sec 638/tcp mcns-sec 

mcns-sec 638/udp mcns-sec 

msdp 639/tcp MSDP 

msdp 639/udp MSDP 

entrust-sps 640/tcp entrust-sps 
entrust-sps 640/udp entrust-sps 
repcemd 641/tcp repcemd 

repcemd 641/udp repcmd 

esro-emsdp 642/tcp ESRO-EMSDP V1.3 
esro-emsdp 642/udp ESRO-EMSDP V1.3 
sanity 643/tcp SANity 

sanity 643/udp SANity 

dwr 644/tcp dwr 

dwr 644/udp dwr 

pssc 645/tcp PSSC 

pssc 645/udp PSSC 

ldp 646/tcp LDP 

ldp 646/udp LDP 

dhcp-failover 647/tcp DHCP Failover 
dhcep-failover 647/udp DHCP Failover 
rrp 648/tcp Registry Registrar 
rrp 648/udp Registry Registrar 
aminet 649/tcp Aminet 

aminet 649/udp Aminet 

obex 650/tcp OBEX 

obex 650/udp OBEX 

ieee-mms 651/tcp IEEE MMS 

ieee-mms 651/udp IEEE MMS 

udlr-dtcp 652/tcp UDLR_DTCP 

udlr-dtcp 652/udp UDLR_DTCP 

repscmd 653/tcp RepCmd 

repscmd 653/udp RepCmd 

aodv 654/tcp AODV 

aodv 654/udp AODV 

tinc 655/tcp TINC 

tinc 655/udp TINC 

spmp 656/tcp SPMP 

spmp 656/udp SPMP 

rmc 657/tcp RMC 

rmc 657/udp RMC 

tenfold 658/tcp TenFold 

tenfold 658/udp TenFold 
url-rendezvous 659/tcp URL Rendezvous 
url-rendezvous 659/udp URL Rendezvous 
mac-srvr-admin 660/tcp MacOS Serv Admin 
mac-srvr-admin 660/udp MacOS Ser Admin 
hap 661/tcp HAP 

hap 661/udp HAP 

pftp 662/tcp PFTP 

pftp 662/udp PFTP 

purenoise 663/tcp PureNoise 

purenoise 663/udp PureNoise 





832 








rap 256/tcp 
rap 256/udp 
set 257/tcp 
set 257/udp 
yak-chat 258/tcp 
yak-chat 258/udp 
esro-gen 259/tcp 
esro-gen 259/udp 
openport 260/tcp 
openport 260/udp 
nsiiops 261/tcp 
nsiiops 261/udp 
arcisdms 262/tep 
arcisdms 262/udp 
hdap 263/tcp 
hdap 263/udp 
bgmp 264/tcp 
bgmp 264/udp 
x-bone-ctl 265/tcp 
x-bone-ctl 265/udp 
sst 266/tcp 
sst 266/udp 
td-service 267/tcp 
td-service 267/udp 
td-replica 268/tcp 
td-replica 268/udp 
# 269-279 
http-mgmt 280/tcp 
http-mgmt 280/udp 
personal-link281/tcp 
personal-link281/udp 
cableport-ax 282/tcp 
cableport-ax 282/udp 
rescap 283/tcp 
rescap 283/udp 
corerjd 284/tcp 
corerjd 284/udp 
# 285 
fxp-1 286/tcp 
fxp-1 286/udp 
k-block 287/tcp 
k-block 287/udp 
# 288-307 
novastorbakcup 308/tcp 
novastorbakcup 308/udp 
entrusttime 309/tcp 
entrusttime 309/udp 
bhmds 310/tcp 
bhmds 310/udp 


asip-webadmin311/tcp 
asip-webadmin311/udp 
vsimp 312/tcp 
vsimp 312/udp 
magenta-—logic313/tcp 
magenta-—logic313/udp 
opalis-robot 314/tcp 
opalis-robot 314/udp 


dpsi 315/tcp 
dpsi 315/udp 
decauth 316/tcp 
decauth 316/udp 
zannet 317/tcp 
zannet 317 /udp 
pkix-timestamp 318/tcp 


pkix-timestamp 318/udp 





ptp-event 319/tcp 
ptp-event 319/udp 
ptp-general 320/tcp 
ptp-general 320/udp 
pip 321 /tep 
pip 321/udp 


RAP 
RAP 
Secure Elect Trans 
Secure Elect Trans 
Yak Personal Chat 
Yak Personal Chat 


Efficient Short 
Efficient Short 
Openport 
Openport 
TIOP over TLS/SSL 
TIOP over TLS/SSL 
Arcisdms 
Arcisdms 
HDAP 
HDAP 
BGMP 
BGMP 
X-Bone CTL 
X-Bone CTL 
SCSI on ST 
SCSI on ST 
Tobit David Layer 
Tobit David Layer 
Tobit David Replica 
Tobit David Replica 
Unassigned 
http-mgmt 
http-mgmt 
Personal Link 
Personal Link 
Cable Port A/X 
Cable Port A/X 
rescap 
rescap 
corerjd 
corerjd 
Unassigned 
FXP-1 
FXP-1 
K-BLOCK 
K-BLOCK 
Unassigned 
Novastor Backup 
Novastor Backup 
EntrustTime 
EntrustTime 
bhmds 
bhmds 
AppleShare WebAdmin 
AppleShare WebAdmin 
VSLMP 
VSLMP 
Magenta Logic 
Magenta Logic 
Opalis Robot 
Opalis Robot 
DPSI 
DPSI 
decAuth 
decAuth 
Zannet 
Zannet 
PKIX TimeStamp 
PKIX TimeStamp 
Event 
Event 
General 
General 








PTP 
PTP 
PTP 
PTP 
PIP 
PAB 
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secure-aux-bus 664/tcp Secure Aux Bus 
secure-aux-bus 664/udp Secure Aux Bus 
sun-dr 665/tcp Sun DR 
sun-dr 665/udp Sun DR 
mdqs 666/tcp 
mdqs 666/udp 
doom 666/tcp doom Id Software 
doom 666/udp doom Id Software 
disclose 667/tcp SDR Technologies 
disclose 667/udp SDR Technologies 
mecomm 668/tcp MeComm 
mecomm 668/udp MeComm 
meregister 669/tcp MeRegister 
meregister 669/udp MeRegister 
vacdsm-sws 670/tcp VACDSM-SWS 
vacdsm-sws 670/udp VACDSM-SWS 
vacdsm-app 671/tcp VACDSM-APP 
vacdsm-app 671/udp VACDSM-APP 
vpps-qua 672/tcp VPPS-QUA 
vpps-qua 672/udp VPPS-QUA 
cimplex 673/tcp CIMPLEX 
cimplex 673/udp CIMPLEX 
acap 674/tcp ACAP 
acap 674/udp ACAP 
dctp 675/tcp DCTP 
dctp 675/udp DCTP 
vpps-via 676/tcp VPPS Via 
vpps-via 676/udp VPPS Via 
vpp 677/tcp Virtual Presence 
vpp 677/udp Virtual Presence 
ggf-ncp 678/tcp GNU NCP 
ggf-ncp 678/udp GNU NCP 
mrm 679/tcp MRM 
mrm 679/udp MRM 
entrust-—aaas 680/tcp entrust-aaas 
entrust-aaas 680/udp entrust-aaas 
entrust-—aams 681/tcp entrust-—aams 
entrust-—aams 681/udp entrust-—aams 
xfr 682/tcp XFR 
xfr 682/udp XFR 
corba-iiop 683/tcp CORBA IIOP 
corba-iiop 683/udp CORBA IIOP 
corba-iiop-ssl 684/tcp CORBA IIOP SSL 
corba-iiop-ssl 684/udp CORBA IIOP SSL 
mdc-portmapper 685/tcp MDC Port Mapper 
mdc-portmapper 685/udp MDC Port Mapper 


hep-wismar 686/tc 
hep-wismar 686/ud 
asipregistry 6 
asipregistry 6 
realm-rusd 688/tc 





realm-rusd 688/ud 
nmap 689/tc 
nmap 689/ud 
vatp 690/tc 
vatp 690/ud 


msexch-routing 6 
msexch-routing 6 
hyperwave-isp 6 





hyperwave-isp 6 
connendp 693/tc 
connendp 693/ud 
ha-cluster 694/tc 
ha-cluster 694/ud 
ieee-mms-ssl 6 
ieee-mms-ssl 6 
rushd 696/tc 
rushd 696/ud 
uuidgen 697/tc 
uuidgen 697/ud 
olsr 698/tc 


p 
p 
87/tc 


p 


p 
p 
p 
p 





p 
91/tec 


91/udp 


92/tc 


92/udp 


p 
p 
p 
p 

95/tec 


0 





87/udp 


95/udp 


Hardware Control 
Hardware Control 
p asipregistry 
asipregistry 
REALM-RUSD 
REALM-—RUSD 

NMAP 

NMAP 

VATP 

VATP 

p MS Exchange 
MS Exchange 
p Hyperwave-ISP 
Hyperwave-ISP 
connendp 

connendp 
ha-cluster 
ha-cluster 

p IEEE-MMS-SSL 
IEEE-MMS-SSL 
RUSHD 

RUSHD 

UUIDGEN 

UUIDGEN 

OLSR 





833 




















rtsps 322/tcp 
rtsps 322/udp 
# 323-332 
texar 333/tcp 
texar 333/udp 
# 334-343 
pdap 344/tcp 
pdap 344/udp 
pawserv 345/tcp 
pawserv 345/udp 
zZserv 346/tcp 
ZServ 346/udp 
fatserv 347/tcp 
fatserv 347/udp 
csi-sgwp 348/tcp 
csi-sgwp 348/udp 
mftp 349/tcp 
mftp 349/udp 
matip-type-a 350/tcp 
matip-type-a 350/udp 
matip-type-b 351/tcp 
matip-type-b 351/udp 
bhoetty 351/tcp 
bhoetty 351/udp 
dtag-ste-sb 352/tcp 
dtag-ste-sb 352/udp 
bhoedap4 352/tcp 
bhoedap4 352/udp 
ndsauth 353/tcp 
ndsauth 353/udp 
bh6él11 354/tcp 
bhél1l 354/udp 
datex-asn 355/tcp 
datex-asn 355/udp 


cloanto-net-1356/tcp 
cloanto-net-1356/udp 








bhevent 357/tcp 
bhevent 357/udp 
shrinkwrap 358/tcp 
shrinkwrap 358/udp 
tenebris_nts 359/tcp 
tenebris_nts 359/udp 
scoi2odialog 360/tcp 
scoi2odialog 360/udp 
semantix 361/tcp 
semantix 361/udp 
srssend 362/tcp 
srssend 362/udp 
rsvp_tunnel 363/tcp 
rsvp_tunnel 363/udp 
aurora-cmgr 364/tcp 
aurora-cmgr 364/udp 
dtk 365/tcp 
dtk 365/udp 
odmr 366/tcp 
odmr 366/udp 
mortgageware 367/tcp 
mortgageware 367/udp 
qbikgdp 368/tcp 
qbikgdp 368/udp 
rpc2portmap 369/tcp 
rpc2portmap 369/udp 
codaauth2 370/tcp 
codaauth2 370/udp 
clearcase Sil /tcp 
clearcase 371/udp 
ulistproc S727 tcp 
ulistproc 372/udp 
legent-1 373/tcp 
legent-1 373/udp 
legent-2 374/tcp 


RTSPS 
RTSPS 
Unassigned 

Texar Security Port 
Texar Security Port 
Unassigned 

Prospero Data Access 
Prospero Data Access 
Perf Analysis Bench 
Perf Analysis Bench 
Zebra server 

Zebra server 

Fatmen Server 

Fatmen Server 
Cabletron Management 
Cabletron Management 
mftp 
mftp 
MATIP 
MATIP 
MATIP 
MATIP 


Type 
Type 
Type 
Type 
bhoetty 
bhoetty 
DTAG 
DTAG 
bhoedap4 
bhoedap4 
N 
N 
b 
b 


WDwW PP 


DSAUTH 

DSAUTH 

h611 

h611 

DATEX-ASN 
DATEX-ASN 
Cloanto Net 1 
Cloanto Net 1 
bhevent 

bhevent 
Shrinkwrap 
Shrinkwrap 
Tenebris Network 
Tenebris Network 
scoi2odialog 
scoi2Zodialog 
Semantix 
Semantix 

SRS Send 

SRS Send 

RSVP Tunnel 

RSVP Tunnel 
Aurora CMGR 
Aurora CMGR 

DTK 

DTK 

ODMR 

ODMR 
MortgageWare 
MortgageWare 
QbikGDP 

QbikGDP 
rpc2portmap 
rpc2portmap 
codaauth2 
codaauth2 
Clearcase 
Clearcase 
ListProcessor 
ListProcessor 
Legent Corporation 
Legent Corporation 
Legent Corporation 








olsr 

# 

elcsd 

elcsd 
agentx 
agentx 

silc 

silc 
borland-dsj4 
borland-dsj 
# 
entrust—kms 
entrust—kms 
entrust-ash 
entrust-ash 
cisco-tdp 
cisco-tdp 
# 
netviewdml 
netviewdml 
netviewdm2 
netviewdm2 
netviewdm3 
netviewdm3 
# 

netgw 

netgw 
netrcs 
netrcs 

* 

flexilm 
flexilm 

# 
fujitsu-dev 
fujitsu-dev 
ris-cm 
ris-cm 





kerberos-—adm 
kerberos-—adm 


rfile 
loadav 
kerberos-iv 
pump 
pump 
qrh 
qrh 
rrh 
rrh 
tell 
tell 

# 
nlogin 
nlogin 
con 


rxe 
quotad 
quotad 
cycleserv 
cycleserv 
omserv 
omserv 
webster 
webster 

# 
phonebook 
phonebook 
# 


698/udp 
699-703 
704/tcp 
704/udp 
705/tcp 
705/udp 
706/tcp 
706/udp 
1T07/tc 
707/ud 
708 
h 709/tc 
h 709/ud 
710/tc 
710/ud 
TLL te 
711/ud 
712-72 
729/tc 
729/ud 
730/tc 
730/ud 
731/tc 
731/ud 
732-74 
741/tc 
741/ud 
742/tc 
742/ud 
743 
744/tcp 
744/udp 
745-746 
747/te 
747/ud 
748/tc 
748/ud 
749/tc 
749/ud 
750/tcp 
750/ud 
7 
WS L/ EC 
751/ud 
T2/te 
752/ud 
753/tc 
753/ud 
754/tc 
754/ud 
755-75 
758/tc 
758/ud 
759/tc 
759/ud 
760/tc 
760/ud 
761/tc 
761/ud 
762/tc 
762/ud 
763/tc 
763/ud 
764/tc 
764/ud 
765/tc 
765/ud 
766 
767/tcp 
767/udp 
768 


0 TO C'O U0 0 TU UD O'D 








Oo U'D 
oO 
2 
Ga 
Qa 
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OLSR 

Unassigned 
errlog copy 
errlog copy 








AgentX 

AgentX 

SILC 

SILC 

p Borland DSJ 

p Borland DSJ 
Unassigned 

p Entrust Key 

p Entrust Key 

p Entrust Admin 

p Entrust Admin 
Cisco TDP 

Cisco TDP 

Unassigned 

IBM NetView serv/cli 
IBM NetView serv/cli 
IBM NetView send/tcp 
IBM NetView send/tcp 
IBM NetView recv/tcp 
IBM NetView recv/tcp 
Unassigned 

netGW 

netGW 

Net Rev. Cont. Sys. 
Net Rev. Cont. Sys. 
Unassigned 


Flexible License Man 
Flexible License Man 
Unassigned 

Fujitsu Dev Ctl 
Fujitsu Dev Ctl 
Russell Info Sci 
Russell Info Sci 
kerberos admin 
kerberos admin 


OOO 2. Oe 








kerberos iv 


0 


send 
send 
Unassigned 


Unassigned 
phone 
phone 
Unassigned 
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legent-2 374/udp 
hassle 375/tcp 
hassle 375/udp 
nip 376/tcp 
nip 376/udp 
tnETOS 377 /tep 
tnETOS 377/udp 
dsETOS 378/tcp 
dsETOS 378/udp 
1399¢ 379/tcp 
ps9 379/udp 
is99s 380/tcp 
is99s 380/udp 


hp-collector 381/tcp 
hp-collector 381/udp 
hp-managed-node 382/tcp 
hp-managed-node 382/udp 


hp-alarm-mgr 383/tcp 
hp-alarm-mgr 383/udp 
arns 384/tcp 
arns 384/udp 
ibm-app 385/tcp 
ibm-app 385/udp 
asa 386/tcp 
asa 386/udp 
aurp 387/tcp 
aurp 387/udp 
unidata-ldm 388/tcp 
unidata-ldm 388/udp 
ldap 389/tcp 
ldap 389/udp 
uis 390/tcp 
uis 390/udp 
synotics-relay 391/tcp 
synotics-relay 391/udp 


synotics-broker 392/tcp 
synotics-broker 392/udp 








dis 393/tcp 
dis 393/udp 
embl-ndt 394/tcp 
embl-ndt 394/udp 
netcp 395/tcp 
netcp 395/udp 
netware-ip 396/tcp 
netware-ip 396/udp 
mptn 397/tcp 
mptn 397/udp 
kryptolan 398/tcp 
kryptolan 398/udp 
iso-tsap-c2 399/tcp 
iso-tsap-c2 399/udp 
work-sol 400/tcp 
work-sol 400/udp 
ups 401/tcp 
ups 401/udp 
genie 402/tcp 
genie 402/udp 
decap 403/tcp 
decap 403/udp 
nced 404/tcp 
nced 404/udp 
ncld 405/tcp 
ncld 405/udp 
imsp 406/tcp 
imsp 406/udp 
timbuktu 407/tcp 
timbuktu 407/udp 
prm-sm 408/tcp 
prm-sm 408/udp 
prm-nm 409/tcp 
prm-nm 409/udp 





Legent Corporation 
Hassle 
Hassle 
Amiga Envoy Network 
Amiga Envoy Network 
EC Corporation 
EC Corporation 
EC Corporation 
EC Corporation 
TIA/EIA/IS-99 client 
TIA/EIA/IS-99 client 
TIA/EIA/IS-99 server 
TIA/EIA/IS-99 server 
hp performance data 
hp performance data 
managed node 
managed node 
alarm manager 
alarm manager 
Remote Net Server 
Remote Net Server 
IBM Application 
IBM Application 
ASA Message Router 
ASA Message Router 
Appletalk 
Appletalk 
Unidata LDM 
Unidata LDM 
LDAP 
LDAP 
UIS 
UIS 
SynOptics 
SynOptics 
SynOptics Port 
SynOptics Port 
Data Interpretation 
Data Interpretation 
EMBL Nucleic Data 
BL Nucleic Data 
ETscout Control 
ETscout Control 
ovell Netware IP 
ovell Netware IP 





np 





SNMP 
SNMP 





ulti Trans. Net. 
ulti Trans. Net. 
Kryptolan 
Kryptolan 


ISO Transport Class 
ISO Transport Class 
Workstation Sol 
Workstation Sol 

UPS 

UPS 

Genie Protocol 

Genie Protocol 

decap 

decap 

nced 

nced 

ncld 

ncld 

Interactive Mail Sup 
Interactive Mail Sup 
Timbuktu 
Timbuktu 
Prospero 
Prospero 
Prospero 
Prospero 


Resource 
Resource 
Resource 
Resource 























vid 769/tcp 
vid 769/udp 
cadlock 770/tcp 
cadlock 770/udp 
rtip 771/tcp 
rtip 771/udp 
cycleserv2 772/tcp 
cycleserv2 772/udp 
submit LIB Cp 
notify 773/udp 
rpasswd 774/tcp 
acmaint_dbd 774/ud 
entomb 775/tcp 
acmaint_transd 775/ud 
wpages 776/tcp 
wpages 776/udp 
multiling-http 777/tc 
multiling-http 777/ud 
# 778-779 
wpgs 780/tcp 
wpgs 780/udp 
# 781-785 
concert 786/tcp 
concert 786/udp 
qsc 787/tcp 
qsc 787/udp 
788-799 
mdbs_daemon 800/tc 
mdbs_daemon 800/ud 
device 801/tcp 
device 801/udp 
802-809 
fcp-udp 810/tcp 
fcp-udp 810/udp 
811-827 
itm-mcell-s 828/tc 
itm-mcell-s 828/ud 
pkix-3-ca-ra 829/tc 
pkix-3-ca-ra 829/ud 
# 830-872 
rsync 873/tcp 
rsync 873/udp 
# 874-885 
iclcnet-locate 886/tc 
iclcnet-locate 886/ud 
iclcnet_svinfo 887/tc 
iclcnet_svinfo 887/ud 
accessbuilder 888/tc 
accessbuilder 888/ud 
cddbp 888/tc 
# 889-899 
omginitialrefs 900/tc 
omginitialrefs 900/ud 
smpnameres 901/tc 
smpnameres 901/ud 
ideafarm-chat 902/tc 
ideafarm-chat 902/ud 
ideafarm-catch 903/tc 
ideafarm-catch 903/ud 
# 904-910 
xact-—backup 911/te 
xact-—backup 911/ud 
# 912-988 
ftps-data 989/tcp 
ftps-data 989/udp 
ftps 990/tcp 
ftps 990/udp 
nas 991/tcp 
nas 991/udp 
telnets 992/tcp 
telnets 992/udp 


Port list 








APPENDIX |D 
p 

p 

p Multiling HTTP 
p Multiling HTTP 
Unassigned 
Unassigned 

Concert 

Concert 

QSC 

QSC 

Unassigned 

p 

p 

Unassigned 

FCP 

FCP Datagram 
Unassigned 

p itm-mcell-s 

p itm-mcell-s 

p PKIX-3 CA/RA 

p PKIX-3 CA/RA 
Unassigned 

rsync 

rsync 

Unassigned 

p ICL coNETion 

p ICL coNETion 

p ICL coNETion 

p ICL coNETion 

p AccessBuilder 
p AccessBuilder 
p CD Database 
Unassigned 

p OMG Initial Refs 
p OMG Initial Refs 
ie) SMPNAMERES 

) SMPNAMERES 

p IDEAFARM-CHAT 
p IDEAFARM-CHAT 
p IDEAFARM-CATCH 
p IDEAFARM-CATCH 
Unassigned 

p xact-—backup 

p xact-—backup 
Unassigned 


ftp protocol TLS/SSL 
ftp protocol TLS/SSL 
ftp protocol TLS/SSL 
ftp protocol TLS/SSL 
Netnews Admin System 
Netnews Admin System 
telnet TLS/SSL 

telnet TLS/SSL 


835 


decladebug 
decladebug 
rmt 
rmt 
synoptics-trap 
synoptics-trap 
smsp 4 
smsp 4 
infoseek 4 
infoseek 4 
4 
4 


4 
4 
4 
4 


bnet 

bnet 
silverplatter4 
silverplatter4 
onmux 
onmux 
hyper-g 
hyper-g 
ariell 
ariell 
smpte 
smpte 
ariel2 
ariel2 
ariel3 
ariel3 4 
opc-job-start4 
opc-job-start4 


SAA RDA BR BR BR BA 





10/ 
10/ 
11/ 
11/ 


4 
13/ 
13/ 
14/ 
14/ 
Loy 
M53 
16/ 
16/ 
17/ 
17/ 
18/ 
18/ 
19/ 
19/ 
20/ 
20/ 
21/ 
21/ 
22/ 
22/ 
23/ 
23/ 


Pep 
udp 
tcp 
udp 


412/tcp 
12/udp 


tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
top 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 





DECLadebug 
DECLadebug 


Remote MT Protocol 

Remote MT Protocol 
Trap Convention 
Trap Convention 


SMSP 

SMSP 

InfoSeek 
InfoSeek 

BNet 

BNet 
Silverplatter 
Silverplatter 
Onmux 

Onmux 

Hyper-G 
Hyper-G 

Ariel 

Ariel 

SMPTE 

SMPTE 

Ariel 

Ariel 

Ariel 

Ariel 

IBM Operations 
IBM Operations 





imaps 
imaps 
ircs 

ircs 
pop3s 
pop3s 
vsinet 
vsinet 
maitrd 
maitrd 
busboy 
puparp 
garcon 
applix 
puprouter 
puprouter 
cadlock2 
cadlock2 


993/te 
993/ud 
994/tc 
994/ud 
995/tc 
995/ud 
996/tc 
996/ud 
997/tc 
997/ud 
998/tc 
998/ud 
999/tc 
999/ud 
999/tc 
999/udp 
000/tc 
000/ud 
001-10 
008/ud 
010/tc 
010/ud 
011-10 
023/tc 
023/ud 


Woe TD ee a ee TO Re 
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imap4 TLS/SSL 
imap4 TLS/SSL 
irc TLS/SSL 
irc TLS/SSL 
pop3 TLS/SSL 
pop3 TLS/SSL 
vsinet 

vsinet 


Applix ac 


Unassigned 
Possibly used 
surf 

surf 

Reserved 
Reserved 
Reserved 


by Sun 
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Registered / Dynamic and/or Private Ports: 
Below is the list of registered as well as Dynamic and/or Private Ports. The Registered Ports are 
those from 1024 through 49151 and the Dynamic and/or Private Ports are those from 49152 


through 65535. 





Keyword Decimal 
# 1024/tcp 
+ 1024/udp 
blackjack 1025/tcp 
blackjack 1025/udp 
# 1026-1029 
iadl 1030/tcp 
iadl 1030/udp 
iad2 1031 /tep 
iad2 1031/udp 
iad3 1032/tcp 
iad3 1032/udp 
# 1033-1046 
neodl 1047/tcp 
neodl 1047/udp 
neod2 1048/tcp 
neod2 1048/udp 
td-postman 1049/tcp 
td-postman 1049/udp 
cma 1050/tcp 
cma 1050/udp 
optima-vnet 1051/ 
optima-vnet 1051/ 
ddt 1052/tcp 
ddt 1052/udp 
remote-as 1053/tcp 
remote-as 1053/udp 
brvread 1054/tcp 
brvread 1054/udp 
ansyslimd 1055/tcp 
ansyslmd 1055/udp 
vfo 1056/tcp 
vfo 1056/udp 
startron 1057/tcp 
startron 1057/udp 
nim 1058/tcp 
nim 1058/udp 
nimreg 1059/tcp 
nimreg 1059/ 
polestar 1060/ 
polestar 1060/ 
kiosk 1061/ 
kiosk 1061/ 
veracity 1062/ 
veracity 1062/ 
kyoceranetdev 1063/ 
kyoceranetdev 1063/ 
jstel 1064/ 
jstel 1064/ 
syscomlan 1065/ 
syscomlan 1065/ 
fpo-fns 1066/ 
fpo-fns 1066/ 
instl_boots 1067/ 
instl_boots 1067/ 
instl_bootec 1068/ 
instl_bootec 1068/ 
cognex-insight 1069/ 
cognex-insight 1069/ 
gmrupdateserv 1070/ 
gmrupdateserv 1070/ 
bsquare-voip LOT: 
bsquare-voip 1071/ 








Description 
Reserved 
Reserved 
network blackjack 
network blackjack 
Unassigned 
BBN IAD 
BBN IAD 
BBN IAD 
BBN IAD 
BBN IAD 
BBN IAD 
Unassigned 
Sun's NEO Object 
Sun's NEO Object 
Sun's NEO Object 
Sun's NEO Object 
Tobit David Postman 
Tobit David Postman 
CORBA Manag Agent 
CORBA Manag Agent 
tcp Optima VNET 
udp Optima VNET 
Dynamic DNS Tools 
Dynamic DNS Tools 
Remote Assistant (RA) 
Remote Assistant (RA) 
BRVREAD 
BRVREAD 
ANSYS-License Manager 
ANSYS-License Manager 
VFO 
VFO 
STARTRON 
STARTRON 
nim 
nim 
nimreg 
udp nimreg 
tcp POLESTAR 
udp POLESTAR 
tcp KIOSK 
udp KIOSK 
tcp Veracity 
udp Veracity 
tcp KyoceraNetDev 
udp KyoceraNetDev 
tcp JSTEL 
udp JUSTE 
tcp SYSCOMLAN 
udp SYSCOMLAN 
tcp FPO-FNS 
udp  FPO-FNS 
top Bootstrap Proto. 
udp Bootstrap Proto. 
tcp Bootstrap Proto. 
udp Bootstrap Proto. 
tcp COGNEX-INSIGHT 
udp COGNEX-INSIGHT 
tcp GMRUpdateSERV 
udp GMRUpdateSERV 
tcp BSQUARE-VOIP 
udp BSQUARE-VOIP 





Keyword 
alarm-clock-s 
alarm-clock-s 
alarm-clock-c 
alarm-clock-c 
toad 

toad 
tve-announce 
tve-announce 
newlixreg 
newlixreg 
nhserver 
nhserver 
firstcall42 
firstcall42 
ewnn 

ewnn 

ttc-etap 
ttc-etap 
simslink 
simslink 
gadgetgatelway 
gadgetgatelway 
gadgetgate2way 
gadgetgate2way 
syncserverssl 
syncserverssl 
pxc-sapxom 
pxc-sapxom 
mpnjsomb 
mpnjsomb 

srsp 

srsp 
ncdloadbalance 
ncdloadbalance 
mpnjsosv 
mpnjsosv 
mpnjsocl 
mpnjsocl 
mpnjsomg 
mpnjsomg 
pgq-lic-mgmt 
pq-lic-mgmt 
md-cg-http 
md-cg-http 
fastlynx 
fastlynx 
hp-nnm-data 
hp-nnm-data 
itinternet 
itinternet 
admins—lms 
admins-l1ms 
belarc-http 
belarc-http 
pwrsevent 
pwrsevent 
vspread 
vspread 
unifyadmin 
unifyadmin 
oce-snmp-trap 
oce-snmp-trap 


Decimal 
2667/tc 
2667/ud 
2668/tc 
2668/ud 
2669/tc 
2669/ud 
2670/tc 
2670/ud 
2671/tec 
2671/ud 
2672/tc 
2672/ud 
2673/tec 
2673/ud 
2674/tc 
2674/ud 
2675/tc 
2675/ud 
2676/tc 
2676/ud 
2671 /tC 
2677/ud 
2678/tc 
2678/ud 
2679/tc 
2679/ud 
2680/tc 
2680/ud 
2681/tc 
2681/ud 
2682/tc 
2682/ud 
2683/tc 
2683/ud 
2684/tc 
2684/ud 
2685/tc 
2685/ud 
2686/tc 
2686/ud 
2687/tc 
2687/ud 
2688/tc 
2688/ud 
2689/tc 
2689/ud 
2690/tc 
2690/ud 
2691/tc 
2691/ud 
2692/tc 
2692/ud 
2693/te 
2693/ud 
2694/tc 
2694/ud 
2695/tc 
2695/ud 
2696/tc 
2696/ud 
2PES7T/US 
2697/ud 
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Description 
Clock Serv 
Clock Serv 
Clock Clt 
Clock Clt 


Alarm 
Alarm 
Alarm 
Alarm 
TOAD 
TOAD 
TVE Announce 
TVE Announce 
newlixreg 
newlixreg 
nhserver 
nhserver 
First Call 42 
First Call 42 
ewnn 

ewnn 

TTC ETAP 

TTC ETAP 
SIMSLink 
SIMSLink 
Gadget Gatel 
Gadget Gatel 
Gadget Gate2 Way 
Gadget Gate2 Way 
Sync Server SSL 
Sync Server SSL 
pxc-sapxom 
pxc-sapxom 
mpnjsomb 
mpnjsomb 

SRSP 

SRSP 
NCDLoadBalance 
NCDLoadBalance 
m 
m 
m 
m 
m 
m 


Way 
Way 


pnjsosv 
pnjsosv 
pnjsocl 
pnjsocl 
pnjsomg 
pnjsomg 
pgq-lic-mgmt 
pq-lic-mgmt 
md-cf-http 
md-cf-http 
FastLynx 
FastLynx 

HP NNM Embedded 
HP NNM Embedded 
IT Internet 
IT Internet 
Admins LMS 
Admins LMS 
belarc-http 
belarc-http 
pwrsevent 
pwrsevent 
VSPREAD 
VSPREAD 

Unify Admin 
Unify Admin 
Oce SNMP Trap 
Oce SNMP Trap 
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cardax 

cardax 
bridgecontrol 
bridgecontrol 
fastechnologlm 
fastechnologlm 
rdrmshc 
rdrmshc 
dab-sti-e 
dab-sii-c 
imgames 
imgames 
emanagecstp 
emanagecstp 
asprovatalk 
asprovatalk 
socks 

socks 
amt-—esd-prot 
amt-—esd-prot 
ansoft-lm-1 
ansoft-lm-1 
ansoft-lm-2 
ansoft-lm-2 
webobjects 
webobjects 
cplscrambler-lg 
cplscrambler-lg 
cplscrambler-in 
cplscrambler-in 
cplscrambler-al 
cplscrambler-al 
ff-annunc 
ff-annunc 
ff-fms 

ff-fms 

ff-sm 

ff-sm 

obrpd 

obrpd 

proofd 

proofd 

rootd 

rootd 

nicelink 
nicelink 
cnrprotocol 
cnrprotocol 
sunclustermgr 
sunclustermgr 
rmiactivation 
rmiactivation 
rmiregistry 
rmiregistry 
mctp 

mctp 
pt2-discover 
pt2-discover 
adobeserver-1 
adobeserver-1 
adobeserver-2 
adobeserver-2 
xxrl 

xxl 

ftranhe 
ftranhe 
isoipsigport-1 
isoipsigport-1 
isoipsigport-2 
isoipsigport-2 
ratio-adp 


1072/tcp 
1072/udp 
1073/tcp 
1073/udp 
1074/tcp 
1074/udp 
1075/tcp 
1075/udp 
1076/tcp 
1076/udp 
1077/tcp 
1077/udp 
1078/tcp 
1078/udp 
1079/tcp 
1079/udp 
1080/tcp 
1080/udp 
1082/tcp 
1082/udp 
1083/tcp 
1083/udp 
1084/tcp 
1084/udp 
1085/tcp 
1085/udp 
1086/tcp 
1086/udp 
1087/tcp 
1087/udp 
1088/tcp 
1088/udp 
1089/tcp 
1089/udp 
1090/tcp 
1090/udp 
1091/tcp 
1091/udp 
1092/tcp 
1092/udp 
1093/tcp 
1093/udp 
1094/tcp 
1094/udp 
1095/tcp 
1095/udp 
1096/tcp 
1096/udp 
1097/tcp 
1097/udp 
1098/tcp 
1098/udp 
1099/tcp 
1099/udp 
1100/tcp 
1100/udp 
1101/tcp 
1101/udp 
1102/tcp 
1102/udp 
1103/tcp 
1103/udp 
1104/tcp 
1104/udp 
1105/tcp 
1105/udp 
1106/tcp 
1106/udp 
1107/tcp 
1107/udp 
1108/tcp 














CARDAX 

CARDA 
BridgeControl 
BridgeContro 
FASTechnologies 
FASTechnologie 
RDRMSHC 

RDRMSHC 

DAB STI-C 

DAB STI-C 
IMGames 

IMGames 
eManageCstp 
eManageCst 
ASPROVATalk 
ASPROVATalk 
Socks 

Socks 
AMT-ESD-PROT 
AMT-ESD-PROT 
Anasoft 

Anasoft 

Anasoft 

Anasoft 

Web Objects 

Web Objects 

CPL Scramble 
CPL Scrambler 
CPL Scrambler 
CPL Scramble 
CPL Scrambler 
CPL Scramble 

FF Annunciation 
FF Annunciation 
FF Fieldbus 

FF Fieldbus 

FF System Manag 
FF System Manag 
OBRPD 

OBRPD 
PROOFD 
PROOFD 
ROOTD 

ROOTD 
NICELink 
NICELink 
Common Name 
Common Name 
Sun Cluster Man 
Sun Cluster Man 
RMI Activation 
RMI Activation 
RMI Registry 
RMI Registry 
MCTP 

MCTP 
PT2-DISCOVER 
PT2-DISCOVER 
ADOBE SERVER 
ADOBE SERVER 
ADOBE SERVER 
ADOBE SERVER 
XRL 

XRL 

FTRANHC 
FTRANHC 
ISOIPSIGPORT-1 
ISOIPSIGPORT-1 
ISOIPSIGPORT-2 
ISOIPSIGPORT-2 
ratio-adp 


NNR FR 


Resl 
Resl 





mck-ivpip 
mck-ivpip 
csoft-plusclnt 
csoft-plusclnt 
tqdata 

tqdata 
sms-rcinfo 
sms-rcinfo 
sms-xfer 
sms-—xfer 
sms-chat 
sms-chat 
sms-remctrl 
sms-remctrl 
sds-admin 
sds-admin 
ncdmirroring 
ncdmirroring 
emcsymapiport 
emcsymapiport 
banyan-net 
banyan-net 
supermon 
supermon 
sso-service 
sso-service 
sso-control 
sso-control 
aocp 

aocp 

ravenl 

ravenl 

raven2 

raven2 
hpstgmgr2 
hpstgmgr2 
inova-ip-disco 
inova-ip-disco 
pn-requester 
pn-requester 
pn-requester2 
pn-requester2 
scan-change 
scan-change 
wkars 

wkars 
smart—diagnose 
smart—diagnose 
proactivesrvr 
proactivesrvr 
watchdognt 
watchdognt 
qotps 

qotps 
msolap-ptp2 
msolap-ptp2 
tams 

tams 
mgcp-callagent 
mgcp-callagent 
sqdr 

sqdr 
tcim-control 
tcim-control 
nec-raidplus 
nec-raidplus 
netdragon-msngr 
netdragon-msngr 
g5m 

g5m 

signet-ctf 


2698/tc 
2698/ud 
2699/tc 
2699/ud 
2700/tc 
2700/ud 
2701/tce 
2701/ud 
2702/tce 
2702/ud 
2703/te 
2703/ud 
2704/tc 
2704/ud 
2705/te 
2705/ud 
2706/tc 
2706/ud 
2707/te 
2707/ud 
2708/tc 
2708/ud 
2709/tc 
2709/ud 
2710/te 
2710/ud 
2711/tc 
2711/ud 
2712/tc 
2712/ud 
2713/te 
2713/ud 
2714/tc 
2714/tc 
2715/te 
2715/ud 
2716/tc 
2716/ud 
2717/tec 
2717/ud 
2718/tc 
2718/ud 
2719/te 
2719/ud 
2720/tc 
2720/ud 
2721/te 
2721/ud 
2722/tc 
2722/ud 
2723/tc 
2723/ud 
2724/tc 
2724/ud 
2725/te 
2725/ud 
2726/tc 
2726/ud 
PIZT IEG 
2727/ud 
2728/tc 
2728/ud 
2729/tc 
2729/ud 
2730/tc 
2730/ud 
2731/te 
2731/ud 
2732/tc 
2732/ ud 
2733/te 
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Port list 
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MCK-IVPIP 
MCK-IVPIP 
Csoft Plus 
Csoft Plus 
tqdata 
tqdata 

SMS RCINFO 
SMS RCINFO 
SMS XFER 
SMS XFER 
SMS CHAT 
SMS CHAT 
SMS REMCTRL 
SMS REMCTRL 
SDS Admin 
SDS Admin 
NCD Mirroring 
NCD Mirroring 
EMCSYMAP IPORT 
EMCSYMAP IPORT 
Banyan-Net 
Banyan-Net 
Supermon 
Supermon 

SSO Service 
SSO Service 
SSO Control 
SSO Control 
Axapta Object 
Axapta Object 
Ravenl 

Ravenl 

Raven2 

Raven2 
HPSTGMGR2 
HPSTGMGR2 
Inova IP Disco 
Inova IP Disco 
PN REQUESTER 
PN REQUESTER 
PN REQUESTER 2 
P 

S 

S 

w 

Ww 


Cit 
C1lt 





N REQUESTER 2 
can & Change 
can & Change 
kars 

kars 

Smart Diagnose 
Smart Diagnose 
Proactive Server 
Proactive Server 
WatchDog NT 
WatchDog NT 
qotps 

qotps 

MSOLAP PTP2 
MSOLAP PTP2 
TAMS 

TAMS 

Media Gateway 
Media Gateway 
SOQDR 

SOQDR 

TCIM Control 
TCIM Control 
NEC RaidPlus 
NEC RaidPlus 
NetDragon Mes 
NetDragon Mes 
G5M 

G5M 

Signet CTF 
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ratio-adp 

# 

nfsd-status 
nfsd-keepalive 
lmsocialserver 
imsocialserver 
icp 

icp 

# 

mini-sql 
mini-sql 
ardus-trns 
ardus-trns 
ardus-cntl 
ardus-cntl 
ardus-mtrns 
ardus-mtrns 


murray 
murray 


nfa 
nfa 


health-polling 
health-polling 
health-trap 
health-trap 


tripwire 
tripwire 


mc-client 
mc-client 


hp-webadmin 
hp-webadmin 








scol 

scol 
nucleus-sand 
nucleus-sand 
caiccipce 
caiccipce 
ssslic-mgr 
ssslic-mgr 
ssslog-mgr 
ssslog-mgr 
accord-mgc 
accord-mgc 
anthony-data 
anthony-data 
metasage 
metasage 
seagull-ais 
seagull-ais 
ipcd3 

ipcd3 

eoss 

eoss 
groove-dpp 
groove-dpp 
lupa 

lupa 
mpc-lifenet 
mpc-lifenet 
kazaa 

kazaa 
scanstat-1l 
scanstat-1l 
etebac5 


1108/udp 
1109 

1110/tcp 
1110/udp 
1111/tcp 
sie IE Acts lo) 
1112/tcp 
1112/udp 
1113 

1114/tcp 
1114/udp 
1115/tcp 
1115/udp 
1116/tcp 
1116/udp 
1117/tcp 
1117/udp 
1118-1122 
1123/tcp 
1123/udp 
1124-1154 
1155/tcp 
1155/udp 
1156-1160 
1161/tcp 
1161/udp 
1162/tcp 
1162/udp 
1163-1168 
1169/tcp 
1169/udp 
1170-1179 
1180/tcp 
1180/udp 
1181-1187 
1188/tcp 
1188/udp 
1189-1199 
1200/tcp 
1200/udp 
1201/tcp 
1201/udp 
1202/tcp 
1202/udp 
1203/tcp 
1203/udp 
1204/tcp 
1204/udp 
1205/tcp 
1205/udp 
1206/tcp 
1206/udp 
1207/tcp 
1207/udp 
1208/tcp 
1208/udp 
1209/tcp 
1209/udp 
1210/tcp 
1210/udp 
1211/tcp 
1211/udp 
1212/tcp 
1212/udp 
1213/tep 
1213/udp 
1214/tcp 
1214/udp 
1215/tcp 
1215/udp 
1216/tcp 











ratio-adp 
Unassigned 
Cluster status 
Client status 
LM Social Server 
LM Social Server 
Intelligent Com 
Intelligent Com 
Unassigned 

Mini SQL 

Mini SQL 

ARDUS Transfer 
ARDUS Transfer 
ARDUS Control 
ARDUS Control 
ARDUS Multicast 
ARDUS Multicast 
Unassigned 
urray 

urray 
Unassigned 
etwork File Acs 
etwork File Acs 
Unassigned 
Health Polling 
Health Polling 
Health Trap 
Health Trap 
Unassigned 
TRIPWIRE 
TRIPWIRE 
Unassigned 
illicent Proxy 
illicent Proxy 
Unassigned 

HP Web Admin 

HP Web Admin 
Unassigned 

SCOL 

SCOL 

ucleus Sand 
ucleus Sand 
caiccipce 
caiccipce 
License Valid 
License Valid 
Log Request 

Log Request 
Accord-MGC 
Accord-MGC 
Anthony Data 
Anthony Data 
MetaSage 
MetaSage 
SEAGULL AIS 
SEAGULL AIS 
IPCD3 

IPCD3 

EOSS 

EOSS 

Groove DPP 
Groove DPP 

lupa 

lupa 

MPC LIFENET 

MPC LIFENET 
KAZAA 

KAZAA 

scanSTAT 1.0 
scanSTAT 1.0 
ETEBAC 5 

















signet-ctf 
ccs-software 
ccs-software 
monitorconsole 
monitorconsole 
radwiz-—nms-srv 
radwiz-—nms-srv 
srp-feedback 
srp-feedback 
ndl-tcp-ois-gw 
ndl-tcp-ois-gw 
tn-timing 
tn-timing 











alarm 

alarm 

tsb 

tsb 

tsb2 

tsb2 

murx 

murx 

honyaku 
honyaku 
urbisnet 
urbisnet 
cpudpencap 
cpudpencap 
fjippol-swrly 
fjippol-swrly 
fjippol-polsvr 
fjippol-polsvr 
fjippol-cnsl 
fjippol-cnsl 
fjippol-portl 
fjippol-portl 
fjippol-port2 
fjippol-port2 
rsisysaccess 
rsisysaccess 
de-spot 
de-spot 





apollo-cc 
apollo-cc 
expresspay 
expresspay 
simplement-tie 
simplement-tie 
cnrp 
cnrp 
apollo-status 
apollo-status 
apollo-gms 
apollo-gms 
sabams 

sabams 
dicom-iscl 
dicom-iscl 
dicom-tls 
dicom-tls 
desktop-dna 
desktop-dna 
data-insurance 
data-insurance 
qip-audup 
qip-audup 
compaq-scp 
compaq-scp 
uadtc 

uadtc 

uacs 

uacs 





2733/ud 
2734/te 
2734/ud 
2735/te 
2735/ud 
2736/tc 
2736/ud 
27:3:./EC 
2737/ud 
2738/tc 
2738/ud 
2739/tc 
2739/ud 
2740/tc 
2740/ud 
2741/te 
2741/ud 
2742 /te 
2742/ud 
2743/tc 
2743/ud 
2744/tc 
2744/ud 
2745/te 
2745/ud 
2746/tc 
2746/ud 
2747/tec 
2747/ud 
2748/tc 
2748/ud 
2Z2TA9/tc 
2749/ud 
2750/te 
2750/ud 
2751/te 
2751/ud 
2752/tc 
2752/ud 
2753/te 
2753/ud 
2754/tc 
2754/ud 
2755/te 
2755/ud 
2756/tc 
2756/ud 
PAIGE Eres: 
2757/ud 
2758/tc 
2758/ud 
ZISOLGE 
2759/ud 
2760/tc 
2760/ud 
2761/tc 
2761/ud 
2762/tc 
2762/ud 
2763/tc 
2763/ud 
2764/tc 
2764/ud 
2765/te 
2765/ud 
2766/tc 
2766/ud 
2767/tc 
2767/ud 
2768/tc 
2768/ud 
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Signet CTF 

CCS Software 
CCS Software 
Monitor Console 
Monitor Console 
RADWIZ NMS SRV 
RADWIZ NMS SRV 
SRP Feedback 
SRP Feedback 
NDL TCP-OSI Gty 
NDL TCP-OSI Gty 
TN Timing 

TN Timing 
Alarm 

Alarm 

TSB 

TSB 

TSB2 

TSB2 

murx 

murx 

honyaku 

honyaku 
URBISNET 
URBISNET 
CPUDPENCAP 
CPUDPENCAP 


RSISYS ACCESS 
RSISYS ACCESS 
de-spot 
de-spot 

APOLLO CC 
APOLLO CC 
Express Pay 
Express Pay 
simplement-tie 
simplement-tie 
CNRP 
CNRP 
APOLLO Status 
APOLLO Status 
APOLLO GMS 
APOLLO GMS 
Saba MS 

Saba MS 

DICOM ISCL 
DICOM ISCL 
DICOM TLS 
DICOM TLS 
Desktop DNA 
Desktop DNA 
Data Insurance 
Data Insurance 
gqip-audup 
qip-audup 
Compaq SCP 
Compaq SCP 
UADTC 

UADTC 

UACS 

UACS 
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etebac5 
hpss-ndapi 
hpss-ndapi 


aeroflight-ads 
aeroflight-ads 
aeroflight-ret 
aeroflight-ret 
qt-serveradmin 
qt-serveradmin 
sweetware-apps 
sweetware-apps 


nerv 

nerv 

tgp 

tgp 

vpnz 

vpnz 
slinkysearch 
slinkysearch 
stgxfws 
stgxfws 
dns2go 
dns2go 
florence 
florence 
novell-zfs 
novell-zfs 
periscope 
periscope 


menandmice-lpm 
menandmice-lpm 


mtrgtrans 
mtrgtrans 


univ-appserver 
univ-appserver 


search-agent 
search-agent 


nmsd 
nmsd 


nermes 
nermes 





husky 

husky 

rxmon 

rxmon 
sti-envision 
sti-envision 
bmc_patroldb 
bmc-patroldb 
pdps 

pdps 

# 

panja-icsp 
panja-icsp 
panja-axbnet 
panja-axbnet 
pip 

pip 

# 





digital-notary 
digital-notary 


# 

vpjp 

vpjp 
alta-ana-lm 


h323hostcallsc 
h323hostcallsc 


1216/ 
1217/ 
1217/ 
1218/ 
1218/ 
1219/ 
1219/ 
1220/ 
1220/ 
1221/ 
1221/ 
1222/ 
1222/ 
1223/ 
1223/ 
1224/ 
1224/ 
1225/ 
1225/ 
1226/ 
1226/ 
1227/ 
1227/ 
1228/ 
1228/ 
1229/ 
1229/ 
1230/ 
1230/ 
1231/ 
1231/ 
1232/ 
1232/ 
1233/ 
1233/ 
1234/ 
1234/ 
1235- 
1239/ 
1239/ 
1240- 
1248/ 
1248/ 
1249- 
1300/ 
1300/ 
1301- 
1310/ 
1310/ 
1311/ 
1311/ 
1312/ 
1312/ 
1313/ 
1313/ 
1314/ 
1314/ 
1315= 
131.97 
1319/ 
1320/ 
1320/ 
1321/ 
1321/ 
1322- 
1:3:35/ 
1335/ 
1336- 
1345/ 
1345/ 
1346/ 





udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
Ecp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
top 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
1238 
Eep 
udp 
1247 
tcp 
udp 
1299 
tcp 
udp 
1309 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
1318 
tcp 
udp 
tcp 
udp 
tcp 
udp 
1334 
tcp 
udp 
1344 
cp 
udp 
tcp 











ETEBAC 5 
HPSS-NDAPI 
HPSS-NDAPI 
AeroFlight-—ADs 
AeroFlight—ADs 
AeroFlight-—Ret 
AeroFlight-—Ret 
QT SERVER ADMIN 
QT SERVER ADMIN 
SweetWARE Apps 
SweetWARE Apps 
I R&D network 
I R&D network 





Q 
As) 


G 
P 


ZU 


Z 

PNZ 
LINKYSEARCH 
LINKYSEARCH 
TGXFWS 

TGXFWS 

S2Go 

S2Go 

LORENCE 
LORENCE 
Novell ZFS 
Novell ZFS 
Periscope 
Periscope 
menandmice-lpm 
menandmice-lpm 
mtrgtrans 
mtrgtrans 
Universal App 
Universal App 
Infoseek Search 
Infoseek Search 
Unassigned 
NMSD 

NMSD 
Unassigned 
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Unassigned 
H323 Host Call 
H323 Host Call 
Unassigned 
Husky 

Husky 

RxMon 

RxMon 

STI Envision 
STI Envision 
BMC_PATROLDB 
BMC_PATROLDB 
Photoscript 
Photoscript 
Unassigned 
Panya-ICsP 
Panja-ICSP 
Panja-AXBNET 
Panja-AXBNET 
PIP 

PIP 

Unassigned 
Digital Notary 
Digital Notary 
Unassigned 
VPJP 

VPJP 

Alta Analytics 





singlept-mvs 
singlept-mvs 
veronica 
veronica 
vergencecm 
vergencecm 
auris 

auris 
pcbakcupl 
pcbakcupl 
pcbakcup2 
pcbakcup2 
smpp 

smpp 
ridgewayl 
ridgewayl 
ridgeway2 
ridgeway2 
gwen-sonya 
gwen-sonya 
lbc-sync 
lbc-sync 
lbc-control 
lbc-control 
whosells 
whosells 
everydayrc 
everydayrc 
aises 

aises 

www-dev 
www-dev 
aic-np 

aic-np 
aic-oncrpc 
aic-oncrpc 
piccolo 
piccolo 
fryeserv 
fryeserv 
media-agent 
media-agent 
plgproxy 
plgproxy 
mtport-—regist 
mtport-—regist 
£5-globalsite 
£5-globalsite 
initlsmsad 
initlsmsad 
aaftp 

aaftp 
livestats 
livestats 
ac-tech 
ac-tech 
esp-encap 
esp-encap 
tmesis-upshot 
tmesis-upshot 
icon-discover 
icon-discover 
acc-raid 
acc-raid 

igcp 

igcp 
veritas-tcpl 
veritas-udpl 
btprjctrl 
btprjctrl 
telexis-vtu 


2769/tc 
2769/ud 
2VIOLES 
2770/ud 
2IFILP RE 
2771/ud 
BITE LES 
2772/ud 
2773/te 
2773/ud 
2774/te 
2774/ud 
2775/te 
2775/ud 
2776/tc 
2776/ud 
SLRS 
2777/ud 
2778/to 
2778/ud 
BILE TEC 
2779/ud 
2780/tc 
2780/ud 
2781/tc 
2781/ud 
2782/tc 
2782/ud 
2783/tc 
2783/ud 
2784/tc 
2784/ud 
2785/tec 
2785/ud 
2786/tc 
2786/ud 
2IBTLES 
2787/ud 
2788/tc 
2788/ud 
2789/tc 
2789/ud 
2790/tc 
2790/ud 
2791/tce 
2791/ud 
2792/te 
2792/ud 
2793/te 
2793/ud 
2794/tc 
2794/ud 
2795/te 
2795/ud 
2796/tc 
2796/ud 
2797/tc 
2797/ud 
2798/tc 
2798/ud 
2799/tc 
2799/ud 
2800/tc 
2800/ud 
2801/tc 
2801/ud 
2802/tc 
2802/ud 
2803/tc 
2803/ud 
2804/tc 





ee ee A TED ee ee ee TES Te Re Te Te a TR I ee Re Oe TS a eR TR Te SR TD RD Te Ee ee TO Te 





Port list 
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Single Point MVS 
Single Point MV 
Veronica 
Veronica 
Vergence CM 
Vergence C 
auris 

auris 

PC Backup 

PC Backup 

PC Backup 

PC Backup 

SMMP 

SMMP 

Ridgeway 
Ridgeway 
Ridgeway 
Ridgeway 
Gwen-Sonya 
Gwen-Sonya 

LBC Sync 

LBC Sync 

LBC Control 
LBC Control 
whosells 
whosells 
everydayrc 
everydayrc 
AISES 

AISES 

world wide web 
world wide web 
aic-np 

aic-np 
aic-oncrpc 
aic-oncrpc 
piccolo 
piccolo 
NetWare Loadable 
NetWare Loadable 
Media Agent 
Media Agent 
PLG Proxy 

PLG Proxy 

MT Port Regist 
MT Port Regist 
£5-globalsite 
£5-globalsite 
initlsmsad 
initlsmsad 
aaftp 

aaftp 
LiveStats 
LiveStats 
ac-tech 
ac-tech 
esp-encap 
esp-encap 
TMESIS-UPShot 
TMESIS-—UPShot 
ICON Discover 
ICON Discover 
ACC RAID 

ACC RAID 

IGCP 

IGCP 

Veritas TCP1l 
Veritas UDP1 
btprjctrl 
btprjctrl 
Telexis VIU 
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alta-ana-lm 
bbn-mmc 
bbn-mmc 
bbn-mmx 
bbn-mmx 

sbook 

sbook 
editbench 
editbench 
equationbuilder 
equationbuilder 
lotusnote 
lotusnote 
relief 

relief 
rightbrain 
rightbrain 
intuitive-edge 
intuitive-edge 
cuillamartin 
cuillamartin 
pegboard 
pegboard 
connicli 
connicli 
ftsrv 

ftsrv 

mimer 

mimer 

linx 

linx 
timeflies 
timeflies 
ndm-requester 
ndm-requester 
ndm-server 
ndm-server 
adapt-sna 
adapt-sna 
netware-csp 
netware-csp 
dcs 

dcs 
screencast 
screencast 
gv-us 

gv-us 

us-gv 

us-gv 

fo-cla 

fe-cli 

fc-ser 

fc-ser 
chromagrafx 
chromagrafx 
molly 

molly 

bytex 

bytex 

ibm-pps 
ibm-pps 
cichlid 
cichlid 

elan 

elan 
dbreporter 
dbreporter 
telesis-licman 
telesis-licman 
apple-licman 
apple-licman 


1346/ 
1347/ 
1347/ 
1348/ 
1348/ 
1349/ 
1349/ 
1350/ 
1350/ 
1351/ 
1,35 5s/, 
1352/ 
1352/ 
1353/ 
1353/ 
1354/ 
1354/ 
435 5:/, 
1355/ 
1356/ 
1356/ 
1357/ 
1357/ 
1358/ 
1358/ 
1359/ 
1359/ 
1360/ 
1360/ 
1361/ 
1361/ 
1362/ 
1362/ 
1363/ 
1363/ 
1364/ 
1364/ 
1365/ 
1365/ 
1366/ 
1366/ 
1367/ 
1367/ 
1368/ 
1368/ 
1369/ 
1369/ 
1370/ 
1370/ 
1371/ 
1371/ 
1372/ 
1372/ 
1373/ 
1373/ 
1374/ 
1374/ 
1375/ 
1375/ 
1376/ 
1376/ 
1377/ 
1377/ 
1378/ 
1378/ 
1379/ 
1379/ 
1380/ 
1380/ 
1381/ 
1381/ 


udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
cp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
top 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
ep 
udp 
tcp 
udp 
Eep 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 














Alta Analytics 
multi media conf 
multi media conf 
multi media conf 
multi media conf 
Registration Net 
Registration Net 
Registration Net 
Registration Net 
Digital Works 
Digital Works 
Lotus Note 

Lotus Note 
Relief Consult 
Relief Consult 
RightBrain Soft 
RightBrain Soft 
Intuitive Edge 
Intuitive Edge 
CuillaMartin 
CuillaMartin 
Elect PegBoard 
Elect PegBoard 
CONNLCLI 
CONNLCLI 

FTSRV 

FTSRV 

MIMER 

MIMER 

Linx 

Linx 

TimeFlies 
TimeFlies 
DataMover Req 
DataMover Req 
DataMover Server 
DataMover Server 
Software Ass 
Software Ass 
Novell NetWare 
Novell NetWare 
DCS 

DCS 
ScreenCast 
ScreenCast 
GV to Unix 
GV to Unix 
Unix Shell to GV 
Unix Shell to GV 
Fujitsu Config 
Fujitsu Config 
Fujitsu Config 
Fujitsu Config 
Chromagrafx 
Chromagrafx 

EPI Software Sys 
EPI Software Sys 
Bytex 

Bytex 

IBM Pers to Pers 
IBM Pers to Pers 
Cichlid 

Cichlid 

Elan 

Elan 

Integrity Sol 
Integrity Sol 
Telesis Network 
Telesis Network 
Apple Network 
Apple Network 


Shell 
Shell 





telexis-vtu 
wta-wsp-s 
wta-wsp-s 
cspuni 

cspuni 
cspmulti 
cspmulti 
j-lan=p 
j-lan-p 
corbaloc 
corbaloc 
netsteward 
netsteward 
gsiftp 

gsiftp 

atmtcp 

atmtcp 
lim-pass 
lim-pass 
lim-csv 
lim-csv 
lbc-measure 
lbc-measure 
lbc-watchdog 
lbc-watchdog 
nmsigport 
nmsigport 
rmink 

rmink 
fc-faultnotify 
fc-faultnotify 
univision 
univision 
vml—dms 
vml—dms 

kaOwuc 

kaOwuc 
cqg-netlan 
cqg-netlan 
slc-systemlog 
slc-systemlog 
slc-ctrlrloops 
slc-ctrlrloops 
itm-lm 

itm-lm 

silkpl 

silkpl 

silkp2 

silkp2 

silkp3 

silkp3 

silkp4 

silkp4 

glishd 

glishd 

evtp 
evtp 
evtp-data 
evtp-data 
catalyst 
catalyst 
repliweb 
repliweb 
starbot 
starbot 
nmsigport 
nmsigport 
13-exprt 
13-exprt 
13-ranger 
13-ranger 


Cara LA Sees a es 








2804/ud 
2805/te 
2805/ud 
2806/tc 
2806/ud 
2807/tc 
2807/ud 
2808/tc 


2818/ud 
2819/tc 
2819/ud 
2820/tec 
2820/ud 
ZB21./eE 
2821/ud 
LBLL/ES 
2822/ud 
2823/tc 
2823/ud 
2826/tc 
2826/ud 
2827/tc 
2827/ud 
2828/tc 
2828/ud 
2B2S fie 
2829/ud 
2830/tc 
2830/ud 
2831/tc 
2831/ud 
ZE32 (bE 
2832/ud 
2833/tc 
2833/ud 
2834/tc 
2834/ud 
2835/te 
2835/ud 
2836/tc 
2836/ud 
2837/tc 
2837/ud 
2838/tc 
2838/ud 
2839/tc 
2839/ud 
2840/tc 
2840/ud 
2841/tc 
2841/ud 
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Telexis VTIU 
WTA WSP-S 
WTA WSP-S 
cspuni 
cspuni 
cspmulti 
cspmulti 
J-LAN-P 
J-LAN-P 
CORBA LOC 
CORBA LOC 
Active Net 
Active Net 
GSI FTP 
GSI FTP 
atmtcp 
atmtcp 
lim-pass 
lim-pass 
lim-csv 
lim-csv 
LBC Measurement 
LBC Measurement 
LBC Watchdog 
LBC Watchdog 
NMSig Port 
NMSig Port 
rmink 
rmink 
FC Fault Notif 
FC Fault Notif 
UniVision 
UniVision 
vml_dms 
vml_dms 
kaQwuc 
kaQwuc 
CQG Net /LAN 
CQG Net /LAN 
slc systemlog 
slc systemlog 
slce ctrlrloops 
slce ctrlrloops 
ITM License Mgr 
ITM License Mgr 
silkpl 
silkpl 
silkp2 
silkp2 
k 
k 
k 





silkp3 
silkp3 
silkp4 
silkp4 
glishd 
glishd 
EVTP 
EVTP 
EVTP-DATA 
EVTP-DATA 
catalyst 
catalyst 
Repliweb 
Repliweb 
Starbot 
Starbot 
NMSigPort 
NMSigPort 
13-exprt 
13-exprt 
13-ranger 
13-ranger 
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udt_os 

udt_os 

gwha 

gwha 

os-licman 
os-licman 
atex_elmd 
atex_elmd 
checksum 
checksum 
cadsi-lm 
cadsi-lm 
objective-dbc 
objective-dbc 
iclpv-dm 
iclpv-dm 
iclpy—se 
iclpv-se 
iclpv-sas 
iclpv-sas 
iclpv-pm 
iclpv-pm 
iclpv-nls 
iclpv-nls 
iclpv-nic 
iclpv-nic 
iclpv-wsm 
iclpv-wsm 
dvl-activemail 
dvl-activemail 
audio-activmail 
audio-activmail 
video-activmail 
video-activmail 
cadkey-—licman 
cadkey-licman 
cadkey-tablet 
cadkey-tablet 
goldleaf-licman 
goldleaf-licman 
prm-sm-np 
prm-sm-np 
prm-nm-np 
prm-nm-np 
igi-lm 

igi-lm 

ibm-res 
ibm-res 
netlabs-1lm 
netlabs-1m 
dbsa-1m 
dbsa-1m 
sophia-lm 
sophia-lm 
here-lm 
here-lm 

hig 

hig 

af 

af 

innosys 
innosys 
innosys-acl 
innosys-acl 
ibm-mqseries 
ibm-mqseries 
dbstar 

dbstar 
novell-1u6.2 
novell-1u6.2 
timbuktu-srvl 


1382/tcp 
1382/udp 
1383/tcp 
1383/udp 
1384/ 
1384/udp 
1385/ 
1385/udp 
1386/ 
1386/udp 
1387/ 
1387/udp 
1388/ 
1388/udp 
1389/ 
1389/udp 
1390/tcp 
1390/udp 
1391/tcp 
1391 /udp 
1392/ 
1392/udp 
1393/ 
1393/udp 
1394/ 
1394/udp 
1395/ 
1395/udp 
1396/tcp 
1396/udp 
1397/ 
1397/udp 
1398/tcp 
1398/udp 
1399/tcp 
1399/udp 


14 





00/ 
00/ 
01/ 
01/ 
02/ 
02/ 
03/ 
03/ 
04/ 
04/ 
05/ 
05/ 
06/ 
06/ 
07/ 
O07/ 
08/ 
08/ 
09/ 
09/ 
10/ 
10/ 
11/ 
11/ 
12/ 
12/ 
13/ 
13/ 
14/ 
14/ 
15/ 
157 
16/ 
16/ 
17/ 


tcp 


tcp 


tcp 


tcp 


tcp 





tcp 


tcp 


tcp 


tcp 


tcp 





tcp 


tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
top 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
top 
udp 
151649) 








GW Hannaway 

GW Hannaway 
Objective Sol 
Objective Sol 
Atex Publishing 
Atex Publishing 
CheckSum 
CheckSum 
Computer Aided 
Computer Aided 
Objective Sol 
Objective Sol 
Document Manager 
Document Manager 
Storage Ctl 
Storage Ctl 
Storage Access 
Storage Access 


Print Manager 
Print Manager 
Network Log Serv 
Network Log Serv 
Network Log Clt 
Network Log Clt 


PC Workstation 
PC Workstation 
DVL Active Mail 
DVL Active Mail 








Audio Act Mail 
Audio Act Mail 
Video Act Mail 
Video Act Mail 
Cadkey 

Cadkey 

Cadkey 

Cadkey 

Goldleaf 
Goldleaf 
Prospero Res Man 
Prospero Res Man 
Prospero Res Man 
Prospero Res Man 
Infinite Graph 
Infinite Graph 


IBM Remote Exec 
IBM Remote Exec 
NetLabs 

NetLabs 

DBSA 

DBSA 

Sophia 

Sophia 

Here License Man 
Here License Man 
HiQ License Man 
HiQ License Mana 
AudioFile 
AudioFile 
InnoSys 

InnoSys 
Innosys-ACL 
Innosys-ACL 

IBM MQSeries 

IBM MQSeries 
DBStar 

DBStar 

Novell LU6.2 
Novell LU6.2 
Timbuktu Serv 1 





13-hawk 
13-hawk 

pdnet 

pdnet 
bpcp-poll 
bpcp-poll 
bpcp-trap 
bpcp-trap 
aimpp-hello 
aimpp-hello 
aimpp-port-req 
aimpp-port-—req 
amt-—blc-port 
amt—blc-port 
fxp 
fxp 
metaconsole 
metaconsole 
webemshttp 
webemshttp 
bears-O0O1 
bears-01 
ispipes 
ispipes 
infomover 
infomover 
cesdinv 
cesdinv 
simctlp 
simctlp 

ecnp 

ecnp 
activememory 
activememory 
dialpad-voicel 
dialpad-voicel 
dialpad-voice2 
dialpad-voice2 
ttg-protocol 
ttg-protocol 
sonardata 
sonardata 
astromed-main 
astromed-main 
pit-vpn 
pit-vpn 
lwlistener 
lwlistener 
esps-portal 
esps-portal 
npep-messaging 
npep-messaging 
icslap 
icslap 
daishi 

daishi 
msi-selectplay 
msi-selectplay 
contract 
contract 
paspar2-zoomin 
paspar2-zoomin 
dxmessagebasel 
dxmessagebasel 
dxmessagebase2 
dxmessagebase2 
sps-tunnel 
sps-tunnel 
bluelance 
bluelance 

aap 











2842/tc 
2842/ud 
2843/tc 
2843/ud 
2844/tc 
2844/ud 
2845/tc 
2845/ud 
2846/tc 
2846/ud 
2847/tc 
2847/ud 
2848/tc 
2848/ud 
2849/tc 
2849/ud 
2850/tc 
2850/ud 
2851/tec 
2851/ud 
2852/tc 
2852/ud 
2853/tec 
2853/ud 
2854/tc 
2854/ud 
2856/tc 
2856/ud 
2857/te 
2857/ud 
2858/tc 
2858/ud 
2859/tc 
2859/ud 
2860/tc 
2860/ud 
2861/tc 
2861/ud 
2862/tc 
2862/ud 
2863/tc 
2863/ud 
2864/tc 
2864/ud 
2865/te 
2865/ud 
2866/tc 
2866/ud 
2867/tc 
2867/ud 
2868/tc 
2868/ud 
2869/tc 
2869/ud 
2870/tc 
2870/ud 
2871/tc 
2871/ud 
2872/tc 
2872/ud 
2873/tc 
2873/ud 
2874/tc 
2874/ud 
2875/tec 
2875/ud 
2876/tc 
2876/ud 
2877/tc 
2877/ud 
2878/tc 
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13-hawk 
13-hawk 
PDnet 
PDnet 
BPCP 
BPCP 
BPCP 
BPCP 
AIMPP 
AIMPP 
AIMPP Port Req 
AIMPP Port Req 
AMT-BLC-PORT 
AMT-BLC-PORT 
FXP 
FXP 
MetaConsole 
MetaConsole 
webemshttp 
webemshttp 
bears-01 
bears-0O1 
ISPipes 
ISPipes 
InfoMover 
InfoMover 
cesdinv 
cesdinv 
SimCtIP 
SimCtIP 

ECNP 

ECNP 

Active Memory 
Active Memory 
Dialpad Voice 
Dialpad Voice 
Dialpad Voice 
Dialpad Voice 
TTG Protocol 
TTG Protocol 
Sonar Data 
Sonar Data 
main 5001 cmd 
main 5001 cmd 
pit-vpn 
pit-vpn 
lwlistener 
lwlistener 
esps-portal 
esps-portal 
NPEP Messaging 
NPEP Messaging 
ICSLAP 
ICSLAP 
daishi 

daishi 

MSI Select Play 
MSI Select Play 
CONTRACT 
CONTRACT 
PASPAR2 ZoomIn 
PASPAR2 ZoomIn 
dxmessagebasel 
dxmessagebasel 
dxmessagebase2 
dxmessagebase2 
SPS Tunnel 

SPS Tunnel 
BLUELANCE 
BLUELANCE 

AAP 


POLL 
POLL 
TRAP 
TRAP 
Hello 
Hello 
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timbuktu-srvl 
timbuktu-srv2 
timbuktu-srv2 
timbuktu-srv3 
timbuktu-srv3 
timbuktu-srv4 
timbuktu-srv4 
gandalf-—lm 
gandalf-—lm 
autodesk-lm 
autodesk-lm 
essbase 
essbase 
hybrid 
hybrid 
zion-lm 
zion-lm 

sais 

sais 

mloadd 
mloadd 
informatik-lm 
informatik-lm 
nms 

nms 

tpdu 

tpdu 

rgtp 

rgtp 
blueberry-1m 
blueberry-1m 
ms-sql-s 
ms-sql-s 
ms-sql-m 
ms-sql-m 
ibm-cics 
ibm-cics 
saism 

saism 

tabula 
tabula 
eicon-server 
eicon-server 
eicon-x25 
eicon-x25 
eicon-slp 
eicon-slp 
cadis-1 
cadis-1 
cadis-2 
cadis-2 
ies-lm 
ies-lm 
marcam-lm 
marcam-lm 
proxima-lm 
proxima-lm 
ora-lm 
ora-lm 
apri-l1m 
apri-l1m 
oc-lm 

oc-lm 

peport 

peport 

dwt 

dwt 

infoman 
infoman 
gtegsc-lim 
gtegsc-l1lm 


1417/udp 
1418/tcp 
1418/udp 
1419/tcp 
1419/udp 
1420/tcp 
1420/udp 
1421/tecp 
1421/udp 
1422/tcp 
1422/udp 
1423/tcp 
1423/udp 
1424/tcp 
1424/udp 
1425/tcp 
1425/udp 
1426/tcp 
1426/udp 
1427/tcp 
1427/udp 
1428/tcp 
1428/udp 
1429/tcp 
1429/udp 
1430/tcp 
1430/udp 
1431/tcp 
1431/udp 
1432/tcp 
1432/udp 
1433/tcp 
1433/udp 
1434/tcp 
1434/udp 
1435/tcp 
1435/udp 
1436/tcp 
1436/udp 
1437/tcp 
1437/udp 

















1452/tcp 
1452/udp 





Timbuktu Serv 
Timbuktu Serv 
Timbuktu Serv 
Timbuktu Serv 
Timbuktu Serv 
Timbuktu Serv 
Timbuktu Serv 
Gandalf 
Gandalf 
Autodesk 
Autodesk 
Essbase Arbor 
Essbase Arbor 
Hybrid Encrypt 
Hybrid Encrypt 
Zion Software 
Zion Software 
Satellite-data 1 
Satellite-data 1 
mloadd 

mloadd 
Informatik 
Informatik 
Hypercom NMS 
Hypercom NMS 
Hypercom TPDU 
Hypercom TPDU 
Reverse Gossip 
Reverse Gossip 
Blueberry Soft 
Blueberry Soft 
Microsoft-SQL 
Microsoft-SQL 
Microsoft-SQL 
Microsoft-—SQL 
IBM CICS 
IBM CICS 
Satellite-data 
Satellite-data 2 
Tabula 

Tabul 

Eicon Security 
Eicon Security 
Eicon X25/SNA 
Eicon X25/SNA 
Eicon Service 
Eicon Service 
Cadis 

Cadis 

Cadis 

Cadis 

Int Eng Soft 

Int Eng Soft 
Marcam 

Marcam 

Proxima 

Proxima 

Optical Research 
Optical Research 
Applied Parallel 
Applied Parallel 
OpenConnect 
OpenConnect 
PEport 

PEport 

Tandem 

Tandem 

IBM Information 
IBM Information 
GTE Government 
GTE Government 
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aap 
ucentric-—ds 
ucentric-—ds 
synapse 
synapse 

ndsp 

ndsp 

ndtp 

ndtp 

ndnp 

ndnp 

flashmsg 
flashmsg 
topflow 
topflow 
responselogic 
responselogic 
aironetddp 
aironetddp 
spcsdlobby 
spcsdlobby 
rsom 

rsom 
cespclmulti 
cspclmulti 
cinegrfx-elmd 
cinegrfx-elmd 
snifferdata 
snifferdata 
vseconnector 
vseconnector 
abacus-remote 
abacus-remote 
natuslink 
natuslink 
ecovisiong6-1 
ecovisiong6-1 
citrix-rtmp 
citrix-rtmp 
appliance-cfg 
appliance-cfg 
powergemplus 
powergemplus 
quicksuite 
quicksuite 
allstorcns 
allstorcns 
netaspi 
netaspi 
suitcase 
suitcase 

m2ua 

m2ua 

m3ua 

m3ua 

caller9 
caller9 
webmethods-—b2b 
webmet hods-—b2b 
mao 

mao 
funk-dialout 
funk-dialout 
tdaccess 
tdaccess 
blockade 
blockade 
epicon 

epicon 
boosterware 
boosterware 


2878/ud 
2879/tc 
2879/ud 
2880/tc 
2880/ud 
2881/tc 
2881/ud 
2882/tc 
2882/ud 
2883/tc 
2883/ud 
2884/tc 
2884/ud 
2885/tc 
2885/ud 
2886/tc 
2886/ud 
2887/tc 
2887/ud 
2888/tc 
2888/ud 
2889/tc 
2889/ud 
2890/tc 
2890/ud 
2891/tc 
2891/ud 
2892/tc 
2892/ud 
2893/tc 
2893/ud 
2894/tc 
2894/ud 
2895/tec 
2895/ud 
2896/tc 
2896/ud 
2897/tc 
2897/ud 
2898/tc 
2898/ud 
2899/tc 
2899/ud 
2900/tc 
2900/ud 
2901/tc 
2901/ud 
BIOL TEC 
2902/ud 
2903/te 
2903/ud 
2904/tc 
2904/ud 
2905/te 
2905/ud 
2906/tc 
2906/ud 
2907/tc 
2907/ud 
2908/tc 
2908/ud 
2909/tc 
2909/ud 
2910/te 
2910/ud 
2OLLSES 
2911/ud 
2912/tc 
2912/ud 
2913/te 
2913/ud 





Se eR Ee ee eS ee Ds TR Re a Re Re I TR De RD RR Ne ee ES TR RD I TR a Re I Fa Ro a Ee Re I A 





Port list 
APPENDIX |D 


AAP 
ucentric-—ds 
ucentric-—ds 
synapse 
synapse 
NDSP 
NDSP 
NDTP 
NDTP 
NDNP 
NDNP 
Flash Msg 
Flash Msg 
TopF low 

TopF low 
RESPONSELOGIC 
RESPONSELOGIC 
aironet 
aironet 
SPCSDLOBBY 
SPCSDLOBBY 
RSOM 
RSOM 
CSPCLMULTI 
CSPCLMULTI 
CINEGRFX-ELMD 
CINEGRFX-ELMD 
SNIFFERDATA 
SNIFFERDATA 
VSECONNECTOR 
VSECONNECTOR 
ABACUS-—REMOTE 
ABACUS-—REMOTE 
NATUS LINK 
NATUS LINK 
ECOVISIONG6-1 
ECOVISIONG6-1 
Citrix RTMP 
Citrix RTMP 
PPLIANCE-CFG 
PPLIANCE-CFG 
OWERGEMP LUS 
OWERGEMPLUS 
UICKSUITE 
UICKSUITE 
LLSTORCNS 
LLSTORCNS 

ET ASPI 

ET ASPI 
UITCASE 
UITCASE 
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CALLERY 
CALLERY 
WEBMETHODS B2B 
WEBMETHODS B2B 
mao 

mao 

Funk Dialout 
Funk Dialout 
TDAccess 
TDAccess 
Blockade 
Blockade 
Epicon 

Epicon 

Booster Ware 
Booster Ware 
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genie-lm 
genie-lm 
interhdl_elmd 
interhdl_elmd 
esl-lm 

esl-lm 

dca 

dca 
valisys-l1m 
valisys-l1m 
nrcabq-1m 
nrcabq-1m 
prosharel 
prosharel 
proshare2 
proshare2 
ibm_wrless_lan 
ibm_wrless_lan 
world-lm 
world-lm 
nucleus 
nucleus 
msl_ilmd 
msl_ilmd 

pipes 

pipes 
oceansoft-lm 
oceansoft-lm 
csdmbase 
csdmbase 

csdm 

csdm 

aal-lm 

aal-lm 

uaiact 

uaiact 
csdmbase 
csdmbase 

csdm 

csdm 

openmath 
openmath 
telefinder 
telefinder 
taligent-lm 
taligent-lm 
clvm-cfg 
clvm-cfg 
ms-—sna-server 
ms—sna-server 
ms-—sna-base 
ms-sna-base 
dberegister 
dberegister 
pacerforum 
pacerforum 
airs 

airs 
miteksys-l1m 
miteksys-1m 
afs 

afs 

confluent 
confluent 
lansource 
lansource 
nms_topo_serv 
nms_topo_serv 
localinfosrvr 
localinfosrvr 
docstor 
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tep 


1453/udp 
1454/ 
1454/udp 
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Sor 
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74/ 
74/ 
75/ 
Misys 
76/ 
76/ 
77/ 
Le, 
78/ 
78/ 
TOF 
79/ 
80/ 
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81/ 
81/ 
82/ 
82/ 
83/ 
83/ 
84/ 
84/ 
85/ 
85/ 
86/ 
86/ 
87/ 
87/ 
88/ 
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tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
top 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
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udp 
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udp 
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tcp 
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udp 
tcp 
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tcp 
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udp 
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udp 
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Genie 

Genie 

interHDL 
interHDL 

ESL 

ESL 

DCA 

DCA 

Valisys 

Valisys 

Nichols Research 
Nichols Research 
Proshare App 
Proshare App 
Proshare App 
Proshare App 
IBM Wireless LAN 
IBM Wireless LAN 
World 

World 

Nucleus 

Nucleus 

MSL License Man 
MSL License Man 
Pipes Platform 
Pipes Platform 
Ocean Software 
Ocean Software 
CSDMBASE 
CSDMBASE 

CSDM 

CSDM 

Active Analysis 
Active Analysis 
Univ Analytics 
Univ Analytics 
csdmbase 
csdmbase 

csdm 

csdm 

OpenMath 
OpenMath 
Telefinder 
Telefinder 
Taligent 
Taligent 
clvm-cfg 
clvm-cfg 
ms-sna-server 
ms—sna-server 
ms-—sna-base 
ms-sna-base 
dberegister 
dberegister 
PacerForum 
PacerForum 
AIRS 

AIRS 

Miteksys 
Miteksys 

AFS 

AFS 

Confluent 
Confluent 
LANSource 
LANSource 
nms_topo_serv 
nms_topo_serv 
LocalInfoSrvr 
LocalInfoSrvr 
DocStor 





gamelobby 
gamelobby 
tksocket 
tksocket 
elvin_server 
elvin_server 
elvin_client 
elvin_client 
kastenchasepad 
kastenchasepad 
roboer 

roboer 
roboeda 
roboeda 
cesdcdman 
cesdcdman 
cesdcdtrn 
cesdcdtrn 
wta-wsp-wtp-s 
wta-wsp-wtp-s 
precise-vip 
precise-vip 
frp 

frp 
mobile-file-dl 
mobile-file-dl 
unimobilectrl 
unimobilectrl 
redstone-cpss 
redstone-cpss 
panja-webadmin 
panja-webadmin 
panja-weblinx 
panja-weblinx 
circle-x 
circle-x 

incp 

incp 
4-tieropmgw 
4-tieropmgw 
4-tieropmcli 
4-tieropmcli 
qtp 

qtp 

otpatch 
otpatch 
pnaconsult-lm 
pnaconsult-lm 
sm-pas-1 
sm-pas-1 
sm—-pas-—2 
sm-pas-—2 
sm-pas-—3 
sm-pas-—3 
sm-pas-4 
sm-pas-4 
sm-pas-—5 
sm-pas-—5 
ttnrepository 
ttnrepository 
megaco-h248 
megaco-h248 
h248-binary 
h248-binary 
fijisvmpor 
fijisvmpor 

gpsd 

gpsd 

wap-push 
wap-push 
wap-pushsecure 
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29 
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29 
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2920/te 
2920/ud 
2921 7¢ 
2921/ud 
2922 7K 
2922/ud 
2923/te 
2923/ud 
2924/te 
2924/ud 
B25 fic 
2925/ud 
2926/6 
2926/ud 
2927 (te 
2927/ud 
2928/tec 
2928/ud 
2929/te 
2929/ud 
2930/tc 
2930/ud 
2931/tc 
2931/ud 
2932 (LC 
2932/ud 
2933/te 
2933/ud 
2934/te 
2934/ud 
2935/te 
2935/ud 
2936/tc 
2936/ud 
2937/te 
2937/ud 
2938/tc 
2938/ud 
2939/tc 
2939/ud 
2940/tc 
2940/ud 
2941/tc 
2941/ud 
2942/tc 
2942/ud 
2943/te 
2943/ud 
2944/te 
2944/ud 
2945/te 
2945/ud 
2946/tc 
2946/ud 
2947/tc 
2947/ud 
2948/tc 
2948/ud 





4/tc 
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6/te 
6/ud 
Td 
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Game Lobby 
Game Lobby 

TK Socket 

TK Socket 
Elvin Server 
Elvin Server 
Elvin Client 
Elvin Client 
Kasten Chase Pad 
Kasten Chase Pad 
ROBOER 

ROBOER 
ROBOEDA 
ROBOEDA 

CESD Contents 
CESD Contents 
CESD Contents 
CESD Contents 
WTA-WSP-WTP-S 
WTA-WSP-WTP-S 
PRECISE-VIP 
PRECISE-VIP 
Firewall Redund 
Firewall Redund 
MOBILE-FILE-DL 
MOBILE-FILE-DL 
UNIMOBILECTRL 
UNIMOBILECTRL 
REDSTONE-CPSS 
REDSONTE-CPSS 
PANJA-WEBADMIN 
PANJA-WEBADMIN 
PANJA-WEBLINX 
PANJA-WEBLINX 
Circle-X 
Circle-X 

INCP 

INCP 

4-TIER OPM GW 
4-TIER OPM GW 
4-TIER OPM CLI 
4-TIER OPM CLI 
QTP 

QTP 

OTPatch 
OTPatch 
PNACONSULT-LM 
PNACONSULT-LM 
SM-PAS~1 
SM-PAS~-1 
SM-PAS~—2 
SM-PAS~—2 
SM-PAS-3 
SM-PAS-—3 
SM-PAS~—4 
SM-PAS~—4 
SM-PAS-—5 
SM-PAS-—5 
TINRepository 
TINRepository 
Megaco H-248 
Megaco H-248 
H248 Binary 
H248 Binary 
FJUSVmpor 
FJUSVmpor 

GPSD 

GPSD 

WAP PUSH 

WAP PUSH 

WAP PUSH SECURE 
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docstor 
dmdocbroker 
dmdocbroker 
insitu-conf 
insitu-conf 
anynetgateway 
anynetgateway 
stone-design-1 
stone-design-1 
netmap_lm 
netmap_lm 

ica 

ica 

cvc 

cvc 
liberty-lm 
liberty-lm 
rfx-lm 

rfx-lm 
sybase-sqlany 
sybase-sqlany 
fhe 

fhe 

visi-lim 
visi-lim 
saiscm 

saiscm 
shivadiscovery 
shivadiscovery 
imtc-mcs 
imtc-mcs 
evb-elm 
evb-elm 
funkproxy 
funkproxy 
utcd 

utcd 

symplex 
symplex 
diagmond 
diagmond 
robcad-lm 
robcad-lm 
mvx-lm 

mvx-lm 

aLe1t 

31-11 

wins 

wins 
fujitsu-dtc 
fujitsu-dtc 
fujyitsusdtons 
fujitsu-dtcns 
ifor-protocol 
ifor-protocol 
vpad 

vpad 

vpac 

vpac 

vpvd 

vpvd 

vpvc 

vpvc 
atm-zip-office 
atm-zip-office 
ncube-1m 
ncube-1m 
ricardo-lm 
ricardo-lm 
cichild-lm 
cichild-lm 





1516/ 
1517/ 
1517/ 
1518/ 
1518/ 
1519/ 
1519/ 
1520/ 
1520/ 
1521/ 
1521/ 
1522/ 
1522/ 
1523/ 
1523/ 





tcp 
udp 
ep 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 





DocStor 
dmdocbroker 
dmdocbroker 
insitu-conf 
insitu-conf 
anynetgateway 
anynetgateway 
stone-design-1 
stone-design-1 
netmap_lm 
netmap_lm 

ica 

ica 

cvc 

eve 

liberty-lm 
liberty-lm 
rfx-lm 

rfx-lm 

Sybase SQL Any 
Sybase SQL Any 
Federico Heinz 
Federico Heinz 
VLSI 

VLSI 
Satellite-data 3 
Satellite-data 3 
Shiva 

Shiva 

Databeam 
Databeam 

EVB Software 

EVB Software 
Funk Software 
Funk Software 
Universal Time 
Universal Time 
Symplex 
Symplex 
diagmond 
diagmond 
Robcad, 
Robcad, 
Midland 
Midland 
sisi 
31-11 
Name Service 
Name Service 
Fujitsu Systems 
Fujitsu Systems 
Fujitsu Systems 
Fujitsu Systems 
ifor-protocol 
ifor-protocol 
Virtual Places 
Virtual Places 
Virtual Places 
Virtual Places 
Virtual Places 
Virtual Places 
Virtual Places 
Virtual Places 
atm zip office 
atm zip office 
nCube 
nCube 
Ricardo 
Ricardo 
cichild 
cichild 


Ltd. 
Leas 
Valley 
Valley 


North 
North 





wap-pushsecure 
esip 

esip 

ottp 

ottp 

mpfwsas 
mpfwsas 
ovalarmsrv 
ovalarmsrv 
ovalarmsrv-cmd 
ovalarmsrv-cmd 
csnotify 
csnotify 
ovrimosdbman 
ovrimosdbman 
jmact5 

jmact5 

jmact6 

jmact6 

rmopagt 
rmopagt 
dfoxserver 
dfoxserver 
boldsoft-lm 
boldsoft-lm 
iph-policy-cli 
iph-policy-cli 
iph-policy-adm 
iph-policy-adm 
bullant-srap 
bullant-srap 
bullant-rap 
bullant-rap 
idp-infotrieve 
idp-infotrieve 
ssc-agent 
ssc-agent 

enpp 

enpp 

essp 

essp 

index-net 
index-net 
netclip 
netclip 
pmsm-webrctl 
pmsm-webrctl 
svnetworks 
svnetworks 
signal 

signal 

fjmpcm 

fjmpcm 
cns-srv-port 
cns-srv-port 
ttc-etap-ns 
ttc-etap-ns 
ttc-etap-—ds 
ttc-etap-—ds 
h263-video 
h263-video 
wimd 

wimd 
mylxamport 
mylxamport 
iwb-whiteboard 
iwb-whiteboard 
netplan 
netplan 
hpidsadmin 
hpidsadmin 


2949/ud 
2950/te 
2950/ud 
20bl7 is 
2951/ud 
2952/tc 
2952/ud 
2953/te 
2953/ud 
2954/tc 
2954/ud 
2955/te 
2955/ud 
2956/tc 
2956/ud 
2957/06 
2957/ud 
2958/tc 
2958/ud 
2959/te 
2959/ud 
2960/tc 
2960/ud 
2961/tc 
2961/ud 
2962/tc 
2962/ud 
2963/tc 
2963/ud 
2964/tc 
2964/ud 
2965/tec 
2965/ud 
2966/tc 
2966/ud 
2967/tc 
2967/ud 
2968/tc 
2968/ud 
2969/tc 
2969/ud 
2970/te 
2970/ud 
297 1/tc 
2971/ud 
2972/tc 
2972/ud 
2973/tc 
2973/ud 
2974/te 
2974/ud 
2OTS Ste 
2975/ud 
2976/tc 
2976/ud 
297 7/te 
2977/ud 
2978/tc 
2978/ud 
2979/tc 
2979/ud 
2980/tc 
2980/ud 
2981/tc 
2981/ud 
2982/6 
2982/ud 
2983/tc 
2983/ud 
2984/tc 
2984/ud 
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WAP PUSH SECURE 
ESI 
ESI 
OTT 


MPFWSAS 
OVALARMSRV 
OVALARMSRV 
OVALARMSRV-CMD 
OVALARMSRV-CMD 
CSNOTIFY 
CSNOTIFY 
OVRIMOSDBMAN 
OVRIMOSDBMAN 
JAMCTS5 

JAMCTS5 

JAMCT6 

JAMCT6 

RMOPAGT 
RMOPAGT 
FOXSERVER 
FOXSERVER 
OLDSOFT-LM 
OLDSOFT-LM 
PH-POLICY-CLI 
PH-POLICY-CLI 
PH-POLICY-ADM 
PH-POLICY-ADM 
ULLANT SRAP 
ULLANT SRAP 
ULLANT 
ULLANT 
DP-INFOTRIEVE 
D 

Ss 

Ss 

N 

N 

Ss 

Ss 

N 








P-INFOTRIEVE 
C-AGENT 
C-AGENT 

PP 


DEX-NET 
NDEX-NET 

Net Clip 

Net Clip 

PMSM Webrectl 
PMSM Webrctl 

SV Networks 

SV Networks 
Signal 

Signal 

Fujitsu 

Fujitsu 

CNS Server Port 
CNS Server Port 
TTCs Enterprise 
[TCs Enterprise 
[TCs Enterprise 
[TCs Enterprise 
H.263 Video 
H.263 Video 
nstant 

nstant 
MYLXAMPORT 
MYLXAMPORT 
WB-WHITEBOARD 
WB-WHITEBOARD 
NETPLAN 
NETPLAN 
HPIDSADMIN 
HPIDSADMIN 


D 
D 
B 
B 
I 
I 
I 
I: 
B 
B 
B 
B 
I 
I 
Ss 
Ss 
E 
E 
E 
E 
I 
I 
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ingreslock 
ingreslock 
orasrv 
orasrv 
prospero-np 
prospero-np 
pdap-np 
pdap-np 
tlisrv 
tlisrv 
mciautoreg 
mciautoreg 
coauthor 
coauthor 
rap-service 
rap-service 
rap-listen 
rap-listen 
miroconnect 
miroconnect 
virtual-places 
virtual-places 
micromuse-1m 
micromuse-1m 
ampr-info 
ampr-info 
ampr-inter 
ampr-inter 
sdsc-lm 
sdsc-lm 
3ds-1m 
3ds-1m 
intellistor-lm 
intellistor-lm 
rds 

rds 

rds2 

rds2 
gridgen-elmd 
gridgen-elmd 
simba-cs 
simba-cs 
aspeclmd 
aspeclmd 
vistium-share 
vistium-share 
abbaccuray 
abbaccuray 
laplink 
laplink 
axon-lim 
axon-lim 
shivahose 
shivasound 
3m-image-1m 
3m-image-1m 
hecmt 1-db 
hecmt 1-db 
pciarray 
pciarray 
sna-cs 
sna-cs 
caci-l1m 
caci-l1m 
livelan 
livelan 
ashwin 
ashwin 
arbortext-lm 
arbortext-l1m 
xingmpeg 


1524/ 
1524/ 
1525/ 
1525/ 
1525/ 
1525/ 
1526/ 
1526/ 
1527/ 
1527/ 
1528/ 
1528/ 
1529/ 
1529/ 
1530/ 
1530/ 
1531/ 
M53 lif; 
1532/7 
1532/ 
1533/ 
1533/ 
1534/ 
1534/ 
15357 
1535/7 
1536/ 
1536/ 
1537/ 
1537/ 
1538/ 
1538/ 
1539/ 
1539/ 
1540/ 
1540/ 
1541/ 
1541/ 
1542/ 
1542/ 
1543/ 
1543/ 
1544/ 
1544/ 
1545/ 
1545/ 
1546/ 
1546/ 
1547/ 
1547/ 
1548/ 
1548/ 
1549/ 
1549/ 
1550/ 
1550/ 
1551/ 
1551/ 
1552/ 
1552/ 
1553/ 
1553/ 
1554/ 
1554/ 
V5957 
1555/ 
1556/ 
1556/ 
1557/ 
1557/ 
1558/ 





tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
cp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
ep 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
cp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
top 
udp 
wep 














ingres 
ingres 
oracle 
oracle 
Prospero 
Prospero 
Prospero 
Prospero 
oracle 
oracle 
micautoreg 
micautoreg 
oracle 
oracle 
rap-service 
rap-service 
rap-listen 
rap-listen 
miroconnect 
miroconnect 
Virtual Places 
Virtual Places 
micromuse-1m 
micromuse-1m 
ampr-info 
ampr-info 
ampr-inter 
ampr-inter 
isi-lm 
isi-lm 
3ds-1m 
3ds-1m 
Intellistor 
Intellistor 
rds 
rds 
rds2 
rds2 
gridgen-elmd 
gridgen-elmd 
simba-cs 
simba-cs 
aspeclmd 
aspeclmd 
vistium-share 
vistium-share 
abbaccuray 
abbaccuray 
laplink 
laplink 
Axon 
Axon 
Shiva Hose 
Shiva Sound 
Image 3M 
Image 3M 
HECMTL-DB 
HECMTL-DB 
pciarray 
pciarray 
sna-cs 
sna-cs 
CACI Products 
CACI Products 
livelan 
livelan 
AshWin CI 
AshWin CI 
ArborText 
ArborText 
xingmpeg 





hpidsagent 
hpidsagnet 
stonefalls 
stonefalls 
identify 
identify 
classify 
classify 
zarkov 

zarkov 

boscap 

boscap 
wkstn-mon 
wkstn-mon 
itb301 

itb301 
veritas-visl 
veritas-visl 
veritas-vis2 
veritas-vis2 
idrs 

idrs 

vsixml 

vsixml 

rebol 

rebol 
realsecure 
realsecure 
remoteware-un 
remoteware-un 
hbci 

hbci 
remoteware-cl 
remoteware-cl 
redwood-broker 
redwood-broker 
exlm-agent 
exlm-agent 
remoteware-srv 
remoteware-srv 
cgms 

cgms 
csoftragent 
csoftragent 
geniuslm 
geniuslm 
ii-admin 
ii-admin 
lotusmtap 
lotusmtap 
midnight-tech 
midnight-tech 
pxc-ntfy 
pxc-ntfy 

gw 

ping-pong 
trusted-web 
trusted-web 
twsdss 

twsdss 
gilatskysurfer 
gilatskysurfer 
broker_service 
broker_service 
nati-dstp 
nati-dstp 
notify_srvr 
notify_srvr 
event_listener 
event_listener 
srvc_registry 


2985/tec 
2985/ud 
2986/tc 
2986/ud 
2987/tc 
2987/ud 
2988/tc 
2988/ud 
2989/tc 
2989/ud 
2990/tc 
2990/ud 
2991/tce 
2991/ud 
2992/06 
2992/ud 
2993/te 
2993/ud 
2994/tec 
2994/ud 
2995/te 
2995/ud 
2996/tc 
2996/ud 
2997/tc 
2997/ud 
2998/tc 
2998/ud 
2999/tc 
2999/ud 
3000/tc 
3000/ud 
3000/tc 
3000/ud 
3001/tc 
3001/ud 
3002/tc 
3002/ud 
3002/tc 
3002/ud 
3003/tc 
3003/ud 
3004/tc 
3004/ud 
3005/te 
3005/ud 
3006/tc 
3006/ud 
3007/tc 
3007/ud 
3008/tc 
3008/ud 
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HPIDSAGENT 

HP IDSAGENT 
STONEFALLS 
STONEFALLS 
IDENTIFY 
IDENTIFY 
CLASSIFY 
CLASSIFY 
ZARKOV 

ZARKOV 

BOSCAP 

BOSCAP 

WKS TN-MON 

WKS TN-MON 
ITB301 

ITB301 

VERITAS VIS1 
VERITAS VIS1 
VERITAS VIS2 
VERITAS VIS2 
IDRS 

IDRS 

vsixml 

vsixml 

REBOL 

REBOL 

Real Secure 
Real Secure 
RemoteWare 
RemoteWare 
HBCI 

HBCI 
RemoteWare Clt 
RemoteWare Clt 
Redwood Broker 
Redwood Broker 
EXLM Agent 
EXLM Agent 
RemoteWare 
RemoteWare 
CGMS 

CGMS 

Csoft Agent 
Csoft Agent 
Genius 
Genius 
Instant Internet 
Instant Internet 
Lotus Mail 

Lotus Mail 
Midnight Tech 
Midnight Techn 
PXC-NTFY 
PXC-NTFY 
Telerate Workst 
Telerate Workst 
Trusted Web 
Trusted Web 
Trusted Web Clt 
Trusted Web Clt 
Gilat Sky Surfer 
Gilat Sky Surfer 
Broker Service 
Broker Service 
NATI DSTP 

NATI DSTP 

Notify Server 
Notify Server 
Event Listener 
Event Listener 
Service Registry 





Serv 
Serv 
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xingmpeg 
web2host 
web2host 
asci-val 
asci-val 
facilityview 
facilityview 
pconnectmgr 
pconnectmgr 
cadabra-lm 
cadabra-lm 
pay-per-view 
pay-per-view 
winddlb 
winddlb 
corelvideo 
corelvideo 
jlicelmd 
jlicelmd 
tsspmap 
tsspmap 

ets 

ets 

orbixd 
orbixd 
rdb-dbs-disp 
rdb-dbs-disp 
chip-1m 
chip-1m 
itscomm-ns 
itscomm-ns 
mvel-lm 
mvel-lm 
oraclenames 
oraclenames 
moldflow-1m 
moldflow-1m 
hypercube-lm 
hypercube-lm 
jacobus-1m 
jacobus-1m 
ioc-sea-lm 
ioc-sea-lm 
En=El=21. 
tn-tl-r2 


mil-2045-47001 
mil-2045-47001 


msims 

msims 
simbaexpress 
simbaexpress 
tn-tl-fd2 
tn-tl-fd2 
intv 

intv 
ibm-abtact 
ibm-abtact 
pra_elmd 
pra_elmd 
triquest-—lm 
triquest-—lm 
vqp 

vqp 
gemini-lm 
gemini-lm 
ncpm-pm 
ncpm-pm 
commonspace 
commonspace 
mainsoft-l1m 
mainsoft-l1m 


1558/udp 
1559/tcp 
1559/udp 
1560/tcp 
1560/udp 
1561 /tep 
1561/udp 
1562/tcp 
1562/udp 
1563/tcp 
1563/udp 


1564/ 


tcp 


1564/udp 


1565/ 


tcp 


1565/udp 


1566/ 


tcp 


1566/udp 


1567/ 


tcp 


1567/udp 


1568/ 


tcp 


1568/udp 


1569/ 


tcp 


1569/udp 


1570/ 





tcp 


1570/udp 
1571/tcp 
1571/udp 
1572/tcp 
1572/udp 


1573/ 


tcp 


S337 udp 


1574/ 


tcp 


1574/udp 


1575/ 


tcp 


1575/udp 


1576/ 


tcp 


1576/udp 


1577/ 


tcp 


1577/udp 


1578/ 





tcp 


1578/udp 
1579/tcp 
1579/udp 
1580/tcp 
1580/udp 


1581/ 


tcp 


1581/udp 


1582/ 


tcp 


1582/udp 


1583/ 


tcp 


1583/udp 


1584/ 


tcp 


1584/udp 


1585/ 


tcp 


1585/udp 


1586/ 





tcp 


1586/udp 
1587/tcp 
1587/udp 
1588/tcp 
1588/udp 


1589/ 


tcp 


1589/udp 


1590/ 


tcp 


1590/udp 


1591/ 


tcp 


1591/udp 


1592/ 


tcp 


1592/udp 


1593/ 





tcp 


1593/udp 


xingmpeg 
webZhost 
webZhost 
asci-val 
asci-val 
facilityview 
facilityview 
pconnectmgr 
pconnectmgr 
Cadabra 
Cadabra 
Pay-Per-View 
Pay-Per-View 
WinDD 

WinDD 
CORELVIDEO 
CORELVIDEO 
jlicelmd 
jlicelmd 
tsspmap 
tsspmap 

ets 

ets 

orbixd 
orbixd 
Oracle Rem DB 
Oracle Rem DB 
Chipcom License 
Chipcom License 
itscomm-ns 
itscomm-ns 
mvel-lm 
mvel-lm 
oraclenames 
oraclenames 
moldflow-1m 
moldflow-1m 
hypercube-lm 
hypercube-lm 
Jacobus 
Jacobus 
ioc-sea-lm 
ioc-sea-lm 
tn-tl-rl 
Ehetlar2 
TL-2045-47001 
TL-2045-47001 
SIMS 

SIMS 
simbaexpress 
simbaexpress 
tn-tl-fd2 
tn-tl-fd2 
intv 

intv 
ibm-abtact 
ibm-abtact 
pra_elmd 
pra_elmd 
triquest-—lm 
triquest-—lm 
VOQP 
VOPMcCloghrie 
gemini-1m 
gemini-lm 
ncpm-pm 
ncpm-pm 
commonspace 
commonspace 
mainsoft-l1m 
mainsoft-l1m 








srvc_registry 
resource_mgr 
resource_mgr 
cifs 

cifs 
agriserver 
agriserver 
csregagent 
csregagent 
magicnotes 
magicnotes 
nds_sso 
nds_sso 
arepa-raft 
arepa-raft 
agri-gateway 
agri-gateway 
LiebDevMgmt_C 
LiebDevMgmt_C 
LiebDevMgmt_DM 
LiebDevMgmt_DM 
LiebDevMgmt_A 
LiebDevMgmt_A 
arepa-cas 
arepa-cas 
agentvu 
agentvu 
redwood-chat 
redwood-chat 
pdb 

pdb 
osmosis-—aeea 
osmosis—aeea 
fjsv-gssagt 
fjsv-gssagt 
hagel-dump 
hagel-—dump 
hp-san-mgmt 
hp-san-mgmt 
santak-ups 
santak-ups 
cogitate 
cogitate 
tomato-springs 
tomato-springs 
di-traceware 
di-traceware 
journee 
journee 

brp 

brp 
responsenet 
responsenet 
di-ase 

di-ase 
hlserver 
hlserver 
pctrader 
pctrader 

nsws 

nsws 

gds_db 

gds_db 
galaxy-server 
galaxy-server 
apcpcns 
apcpcns 
dsom-server 
dsom-server 
amt-—cnf-prot 
amt-—cnf-prot 





3018/ud 
30187 
3019/ud 
S0207te 
3020/ud 
3021/tc 
3021/ud 
3022/tc 
3022/ud 
3023/tc 
3023/ud 
3024/tc 
3024/ud 
3025/tc 
3025/ud 
3026/tc 
3026/ud 
3027/tc 
3027/ud 
3028/tc 
3028/ud 
S0297te 
3029/ud 
3030/tc 
3030/ud 
3031/tc 
3031/ud 
3032/tc 
3032/ud 
3033/tc 
3033/ud 
3034/tc 
3034/ud 
3035/te 
3035/ud 
3036/tc 
3036/ud 
3037/tc 
3037/ud 
3038/tc 
3038/ud 
3039/te 
3039/ud 
3040/tc 
3040/ud 
3041/tc 
3041/ud 
3042/tc 
3042/ud 
3043/tc 
3043/ud 
3045/tc 
3045/ud 
3046/tc 
3046/ud 
3047/tc 
3047/ud 
3048/tc 
3048/ud 
3049/tc 
3049/ud 
3050/tc 
3050/ud 
3051/tc 
3051/ud 
3052/6 
3052/ud 
3053/te 
3053/ud 
3054/tc 
3054/ud 
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Service Registry 
Resource Manager 
Resource Manager 
CIFS 

CIFS 

AGRI Server 

AGRI Server 
CSREGAGENT 
CSREGAGENT 
magicnotes 
magicnotes 
NDS_SSO 

NDS_SSO 

Arepa Raft 

Arepa Raft 

AGRI Gateway 
AGRI Gateway 
LiebDevMgmt_C 
LiebDevMgmt_C 
LiebDevMgmt_DM 
LiebDevMgmt_DM 
LiebDevMgmt_A 
LiebDevMgmt_A 
Arepa Cas 

Arepa Cas 
AgentVU 

AgentVU 

Redwood Chat 
Redwood Chat 

PDB 

PDB 

Osmosis AEEA 
Osmosis AEEA 
FJSV gssagt 

FJSV gssagt 
Hagel DUMP 

Hagel DUMP 

HP SAN Mgmt 

HP SAN Mgmt 
Santak UPS 
Santak UPS 
Cogitate, Inc. 
Cogitate, Inc. 
Tomato Springs 
Tomato Springs 
di-traceware 
di-traceware 
journee 

journee 

BRP 

BRP 

ResponseNet 
ResponseNet 
di-ase 

di-ase 

Fast Security HL 
Fast Security HL 
Sierra Net PC 
Sierra Net PC 
NSWS 
NSWS 
gds_db 
gds_db 
Galaxy Server 
Galaxy Server 
APCPCNS 
APCPCNS 
dsom-server 
dsom-server 
AMT CNF PROT 
AMT CNF PROT 











847 


sixtrak 
sixtrak 

radio 

radio 
radio-sm 
radio-be 
orbplus-iiop 
orbplus-iiop 
picknfs 
picknfs 
simbaservices 
simbaservices 
issd 

issd 

aas 

aas 

inspect 
inspect 
picodbc 
picodbc 
icabrowser 
icabrowser 
slp 

slp 

slm-api 
slm-api 

stt 

Set 

smart-lm 
smart-lm 
isysg-lm 
isysg-lm 
taurus-wh 
taurus-wh 

ta 

a 
netbill-trans 
netbill-trans 
netbill-keyrep 
netbill-keyrep 
netbill-cred 
netbill-cred 
netbill-auth 
netbill-auth 
netbill-prod 
netbill-prod 
nimrod-agent 
nimrod-agent 
skytelnet 
skytelnet 
xs-openstorage 
xs-openstorage 
faxportwinport 
faxportwinport 
softdataphone 
softdataphone 
ontime 

ontime 
jaleosnd 
jaleosnd 
udp-sr-port 
udp-sr-port 
svs-omagent 
svs-omagent 
shockwave 
shockwave 
t128-gateway 
t128-gateway 
lontalk-norm 
lontalk-norm 
lontalk-urgnt 





1594/tcp 
1594/udp 
1595/tcp 
1595/udp 
1596/tcp 
1596/udp 
LSo7/tep 
1597/udp 
1598/tcp 
1598/udp 
1599/tcp 
1599/udp 
1600/tcp 
1600/udp 
1601/tcp 
1601/udp 
1602/tcp 
1602/udp 
1603/tcp 
1603/udp 
1604/tcp 
1604/udp 
1605/tcp 
1605/udp 
1606/tcp 
1606/udp 
1607/tcp 
1607/udp 
1608/tcp 
1608/udp 
1609/tcp 
1609/udp 
1610/tcp 
1610/udp 
1614 7tep 
1611/udp 
1612/tcp 
1612/udp 
1613/tcp 
1613/udp 
1614/tcp 
1614/udp 
1615/tcp 
1615/udp 
1616/tcp 
1616/udp 
1617/tcp 
1617/udp 
1618/tcp 
1618/udp 
1619/tcp 
1619/udp 
1620/tcp 
1620/udp 
1621/tcp 
1621/udp 
1622/tcp 
1622/udp 
1623/tcp 
1623/udp 
1624/tcp 
1624/udp 
1625/tcp 
1625/udp 
1626/tcp 
1626/udp 
1627/tcp 
1627/udp 
1628/tcp 
1628/udp 
1629/tcp 











sixtrak 
sixtrak 

radio 

radio 
radio-sm 
radio-be 
orbplus-iiop 
orbplus-iiop 
picknfs 
picknfs 
simbaservices 
simbaservices 


aas 
aas 
inspect 
inspect 
pickodbec 
pickodbc 
icabrowser 
icabrowser 
Salutation 
Salutation 
Salutation 
Salutation 
stt 
stt 
Smart Corp. 
Smart Corp. 
isysg-lm 
isysg-lm 
taurus-wh 
taurus-—wh 
Inter Library 
Inter Library 
etBill 
etBill 
etBill Key 
etBill Key 
etBill 
etBill 
etBill 
etBill 
etBill 
etBill 
imrod 
imrod 
skytelnet 
skytelnet 
xs-openstorage 
xs-openstorage 
faxportwinport 
faxportwinport 
softdataphone 
softdataphone 
ontime 
ontime 
jaleosnd 
jaleosnd 
udp-sr-port 
udp-sr-port 
svs-omagent 
svs-omagent 
Shockwave 
Shockwave 
T.128 Gateway 
T.128 Gateway 
LonTalk normal 
LonTalk normal 
LonTalk urgent 














policyserver 
policyserver 
cdl-server 
cdl-server 
goahead-fldup 
goahead-fldup 
videobeans 
videobeans 
qsoft 

qsoft 
interserver 
interserver 
cautcpd 
cautcpd 
ncacn-ip-tcp 
ncacn-ip-tcp 
ncadg-ip-udp 
ncadg-ip-udp 
slinterbase 
slinterbase 
netattachsdmp 
netattachsdmp 
fjhpijp 

fjhpjp 
ls3bcast 
ls3bcast 

1s3 

1s3 

mgxswitch 
mgxswitch 

# 
orbix-locator 
orbix-locator 
orbix-config 
orbix-config 
orbix=loc-ss1 
orbix-loc-ssl 
orbis-cfig-asl 
orbix-cfg-ssl 
lv-frontpanel 
lv-frontpanel 
stm_pproc 
stm_pproc 
tll-lv 

tll-lv 
tll-raw 
tll-raw 
tlli-telnet 
tli-telnet 
itm-mccs 
itm-mccs 
pcihreq 
pcihreq 
jdl-dbkitchen 
jdl-dbkitchen 
# 

cardbox 
cardbox 
cardbox-http 
cardbox-http 
# 

icpv2 

icpv2 
netbookmark 
netbookmark 

# 

vmodem 
vmodem 
rdc-wh-eos 
rdc-wh-eos 
seaview 


3055/te 
3055/ud 
3056/tc 
3056/ud 
3057/tc 
3057/ud 
3058/tec 
3058/ud 
3059/tec 
3059/tc 
3060/tc 
3060/ud 
SUG / Ee 
3061/ud 
3062/tc 
3062/ud 
3063/te 
3063/ud 
3065/te 
3065/ud 
3066/tc 
3066/ud 
306 TSEC 
3067/ud 
3068/tc 
3068/ud 
3069/tc 
3069/ud 
3070/tc 
3070/ud 
3071-30 
3075/tc 
3075/ud 
3076/tc 
3076/ud 
3077/tc 
3077/ud 
3078/tc 
3078/ud 
3079/tc 
3079/ud 
3080/tc 
3080/ud 
3081/tc 
3081/ud 
3082/tc 
3082/ud 
3083/tc 
3083/ud 
3084/tc 
3084/ud 
3085/tec 
3085/ud 
3086/tc 
3086/ud 
3084-31 
05/tc 
05/ud 
06/tc 
06/ud 
07-31 
30/tc 
30/ud 
31/tc 
31/ud 
32-31 
41/tc 
41/ud 
42/tc 
42/ud 
43/tc 


Ww 
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Policy Server 
Policy Server 
CDL Server 
CDL Server 
GoAhead F1ldUp 
GoAhead F1ldUp 
videobeans 
videobeans 
qsoft 

qsoft 
interserver 
interserver 
cautcpd 
cautcpd 
ncacn-ip-tcp 
ncacn-ip-tcp 
ncadg-ip-udp 
ncadg-ip-udp 
slinterbase 
slinterbase 
NETATTACHSDMP 
NETATTACHSDMP 
FJHPJP 
FJHPJP 
1ls3 Broadcast 
1ls3 Broadcast 
1s3 

1s3 
MGXSWITCH 
MGXSWITCH 
Unassigned 
Orbix 2000 
Orbix 2000 
Orbix 2000 
Orbix 2000 
Orbix 2000 
Orbix 2000 
Orbix 2000 SSL 
Orbix 2000 SSL 
LV Front Panel 
LV Front Panel 
stm_pproc 
stm_pproc 
TL1I-LV 





SSL 
SSL 


TL1-TELNET 
TL1-TELNET 
TM-MCCS 
TM-MCCS 
PCIHReq 
PCIHReq 
JDL-DBKitchen 
JDL-DBKitchen 
Unassigned 
Cardbox 
Cardbox 
Cardbox HTTP 
Cardbox HTTP 
Unassigned 
ICPv2 

ICPv2 

Net Book Mark 
Net Book Mark 
Unassigned 
VMODEM 
VMODEM 

RDC WH EOS 
RDC WH EOS 
Sea View 
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lontalk-urgnt 
oraclenet 8cman 
oraclenet8cman 
visitview 
visitview 
pammratc 
pammratc 
pammrpc 
pammrpc 
loaprobe 
loaprobe 
edb-serverl 
edb-serverl 
cncp 

cncp 

cnap 

cnap 

cnip 

cnip 
cert-initiator 
cert-initiator 
cert-responder 
cert-responder 
invision 
invision 
isis-am 
isis-am 
isis-ambc 
isis-ambc 
saiseh 
datametrics 
datametrics 
sa-msg-port 
sa-msg-port 
rsap 

rsap 
concurrent-—lm 
concurrent-—lm 
kermit 

kermit 

nkd 

nkd 
shiva_confsrvr 
shiva_confsrvr 
xnmp 

xnmp 
alphatech-1m 
alphatech-l1m 
stargatealerts 
stargatealerts 
dec-mbadmin 
dec-mbadmin 
dec-mbadmin-h 
dec-mbadmin-h 
fujitsu-mmpdc 
fujitsu-mmpdc 
sixnetudr 
sixnetudr 
sg-lm 

sg-lm 
skip-mc-gikreq 
skip-mc-gikreq 
netview-aix-1 
netview-aix-1 
netview-aix-2 
netview-aix-2 
netview-aix-3 
netview-aix-3 
netview-aix-4 
netview-aix-4 
netview-aix-5 


1629/udp 
1630/tcp 
1630/udp 
1631/tcp 
1631/udp 
1632/tcp 
1632/udp 
1633/tcp 
1633/udp 
1634/tcp 
1634/udp 
1635/tcp 
1635/udp 
1636/tcp 
1636/udp 
1637/tcp 
1637/udp 
1638/tcp 
1638/udp 
1639/tcp 
1639/udp 
1640/tcp 
1640/udp 
1641/tcp 
1641/udp 
1642/tcp 
1642/udp 
1643/tcp 
1643/udp 
1644/tcp 
1645/tcp 
1645/udp 
1646/tcp 
1646/udp 
1647/tcp 
1647/udp 
1648/tcp 
1648/udp 
1649/tcp 
1649/udp 
1650/tcp 
1650/udp 
1651/tcp 
1651/udp 
1652/tcp 
1652/udp 
1653/tcp 
1653/udp 
1654/tcp 
1654/udp 
1655/tcp 
1655/udp 
1656/tcp 
1656/udp 
1657/tcp 
1657/udp 
1658/tcp 
1658/udp 
1659/tcp 
1659/udp 
1660/tcp 
1660/udp 
1661/tcp 
1661/udp 
1662/tcp 
1662/udp 
1663/tcp 
1663/udp 
1664/tcp 
1664/udp 
1665/tcp 














LonTalk urgent 
Oracle Net8 Cman 
Oracle Net8 Cman 
Visit view 
Visit view 
PAMMRATC 
PAMMRATC 
PAMMRPC 
PAMMRPC 
America Probe 
America Probe 
EDB Server 1 
EDB Server 1 
CableNet 
CableNet 
CableNet 
CableNet 
CableNet Info 
CableNet Info 
cert-initiator 
cert-initiator 
cert-responder 
cert-responder 
InVision 
InVision 
isis-am 
isis-am 
isis-ambc 
isis-ambc 
Satellite-data 4 
datametrics 
datametrics 
sa-msg-port 
sa-msg-port 
rsap 

rsap 
concurrent-—lm 
concurrent-—lm 
kermit 

kermit 

nkd 

nkd 
shiva_confsrvr 
shiva_confsrvr 
xnmp 

xnm 
alphatech-l1m 
alphatech-l1m 
stargatealerts 
stargatealerts 
dec-mbadmin 
dec-mbadmin 
dec-mbadmin-h 
dec-mbadmin-h 
fujitsu-mmpdc 
fujitsu-mmpdc 
sixnetudr 
sixnetudr 
Silicon Grail 
Silicon Grail 
skip-mc-gikreq 
skip-mc-gikreq 
netview-aix-1 
netview-aix-1 
netview-aix-2 
netview-aix-2 
netview-aix-3 
netview-aix-3 
netview-aix-4 
netview-aix-4 
netview-aix-5 


Admin 
Admin 





seaview 
tarantella 
tarantella 
csi-lfap 
csi-lfap 

# 

rfio 

rfio 
nm-game-admin 
nm-game-admin 
nm-game-server 
nm-game-server 
nm-asses-admin 
nm-asses-admin 
nm-assessor 
nm-assessor 

# 

mc-brk-srv 
mc-brk-srv 
bmcpatrolagent 
bmcpatrolagent 
bmcpatrolrnvu 
bmcpatrolrnvu 
# 

necp 

necp 

# 

ccmail 

ccmail 
altav-tunnel 
altav-tunnel 
ns-cfg-server 
ns-cfg-server 
ibm-dial-out 
ibm-dial-out 
msft-gc 
msft-gc 
msft-gc-ssl 
msft-gc-ssl 
verismart 
verismart 
csoft-prev 
csoft-prev 
user-manager 
user-manager 
sxmp 

sxmp 
ordinox-server 
ordinox-server 
samd 

samd 
maxim-asics 
maxim—asics 
awg-proxy 
awg-proxy 
lkcmserver 
lkcmserver 
admind 

admind 
vs-server 
vs-server 
sysopt 

sysopt 
datusorb 
datusorb 
net-assistant 
net-assistant 
Atalk 

A4talk 

plato 

plato 
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3262/tc 
3262/ud 
3263 

3264/tc 
3264/ud 
3265/tc 
3265/ud 
3266/tc 
3266/ud 
3267/tc 
3267/ud 
3268/tc 
3268/ud 
3269/tc 
3269/ud 
3270/tc 
3270/ud 
3271/tc 
3271/ud 
3272/tC 
3272/ud 
3273/tc 
3273/ud 
3274/tc 
3274/ud 
3275/tc 
3275/ud 
3276/tc 
3276/ud 
3277/te 
3277/ud 
3278/tc 
3278/ud 
3279/tc 
3279/ud 
3280/tc 
3280/ud 
3281/tc 
3281/ud 
3282/tc 
3282/ud 
3283/tc 
3283/ud 
3284/tc 
3284/ud 
3285/te 
3285/ud 





43/ud 
44/tc 
44/ud 
45/tc 
45/ud 
46 

47/tc 
47/ud 
48/tc 
48/ud 
49/tc 
49/ud 
50/tc 
50/ud 
51/tc 
51/ud 
52-34. 
80/tc 
80/ud 
81/te 
81/ud 
82/tc 
82/ud 
83-32 
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Sea View 
Tarantella 
Tarantella 
CSI-LFAP 
CSI-LFAP 
Unassigned 
RE IO 
RE IO 
NetMike 
NetMike 
NetMike 
NetMike 
NetMike 
NetMike 
NetMike 
NetMike 
Unassigned 
Millicent Broker 
Millicent Broker 
BMC Patrol Agent 
BMC Patrol Agent 
BMC Patrol 

BMC Patrol 
Unassigned 

NECP 

NECP 

Unassigned 
cc:mail/lotus 
cc:mail/lotus 
Altav Tunnel 
Altav Tunnel 

NS CFG Server 

NS CFG Server 
IBM Dial Out 

IBM Dial Out 
Microsoft Global 
Microsoft Global 
Microsoft Global 
Microsoft Global 
Verismart 
Verismart 

CSoft Prev Port 
CSoft Prev Port 
Fujitsu User Mgr 
Fujitsu User Mgr 
SXMP 

SXMP 

Ordinox Server 
Ordinox Server 
SAMD 

SAMD 

Maxim ASICs 
Maxim ASICs 

AWG Proxy 

AWG Proxy 

LKCM Server 

LKCM Server 
admind 

admind 

VS Server 

VS Server 

SYSOPT 

SYSOPT 

Datusorb 
Datusorb 

Net Assistant 
Net Assistant 
4Talk 

4Talk 

Plato 

Plato 


Game 
Game 
Game 
Game 
Assessor 
Assessor 
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ne 
bas} 


tview-aix-5 
tview-aix—6 
tview-aix-6 
tview-aix-7 
tview-aix-7 
tview-aix-8 
tview-aix-—8 
tview-aix-9 
tview-aix-9 
tview-aix-10 
tview-aix-10 
tview-aix-11 
tview-aix-11l 
tview-aix-12 
tview-aix-12 





proshare-mc-1 
proshare-mc-1 
proshare-mc-2 
proshare-mc-2 
pdp 

pdp 

netcomml1 
netcomm2 
groupwise 
groupwise 
prolink 
prolink 
darcorp-lm 
darcorp-lm 
microcom-sbp 
microcom-sbp 
sd-elmd 
sd-elmd 


lanyon-lantern 


la 


nyon-lantern 


nepm-hip 
nepm-hip 
snaresecure 
snaresecure 
n2nremote 
n2nremote 
cvmon 

cvmon 
nsjtp-ctrl 
nsjtp-ctrl 
nsjtp-data 
nsjtp-data 
firefox 
firefox 
ng-umds 
ng-umds 
empire-empuma 
empire-empuma 
sstsys-lm 
sstsys-lm 
Crvrey. 
BEUCEL 
rrimwm 
rrimwm 
rrilwm 
rrilwm 
rrifmm 
rrifmm 
rrisat 
rrisat 
rsvp-encap-1 
rsvp-encap-1 
rsvp-encap-2 
rsvp-encap-2 
mps-raft 
mps-raft 


1665/ 
1666/ 
1666/ 
1667/ 
1667/ 
1668/ 
1668/ 
1669/ 
1669/ 
1670/ 
1670/ 
1671/ 
1671/ 
1672/ 
1672/ 
1673/ 
1673/ 
1674/ 
1674/ 
1675/ 
1675/ 
1676/ 
1676/ 
1677/ 
1677/ 
1678/ 
1678/ 
1679/ 
1679/ 
1680/ 
1680/ 
1681/ 
1681/ 
1682/ 
1682/ 
1683/ 
1683/ 
1684/ 
1684/ 
1685/ 
1685/ 
1686/ 
1686/ 
1687/ 
1687/ 
1688/ 
1688/ 
1689/ 
1689/ 
1690/ 
1690/ 
1691/ 
1691/ 
1692/ 
1692/ 
1693/ 
1693/ 
1694/ 
1694/ 
1695/ 
1695/ 
1696/ 
1696/ 
1697/ 
1697/ 
1698/ 
1698/ 
1699/ 
1699/ 
1700/ 
1700/ 


udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
Pep 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
top 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 














ne 
ne 
ne 
ne 
In 
In 
In 
In 
Pa 
Pa 
ne 
ne 
gr 
gr 
pr 
pr 
da 
da 
mi 
mi 
sd 
sd 
la 
la 
nec 
nc 
sn 
sn 
n2 
n2 
CVI 
CVI 
ns 


tview-aix-5 
tview-aix-—6 
tview-aix-6 
tview-aix-7 
tview-aix-7 
tview-aix-8 
tview-aix-8 
tview-aix-9 
tview-aix-9 
tview-aix-10 
tview-aix-10 
tview-aix-11 
tview-aix-11l 
tview-aix-12 
tview-aix-12 
tel Proshare 
tel Proshare 
tel Proshare 
tel Proshare 
cific Data 
cific Data 
tcomm1 
tcomm2 
oupwise 
oupwise 
olink 

olink 
rcorp-lm 
rcorp-lm 
crocom-sbp 
crocom-sbp 
-elmd 

-elmd 
nyon-lantern 
nyon-lantern 
pm-hip 
pm-hip 
aresecure 
aresecure 
nremote 
nremote 

mon 

mon 

JEp-ck x1 
nsjtp-ctrl 
nsjtp-data 
nsjtp-data 
firefox 
firefox 
ng-umds 
ng-umds 
empire-empuma 
empire-empuma 
sstsys-lm 
sstsys-lm 
bapa is oop 
BELLE 
rrimwm 
rrimwm 
rrilwm 
rrilwm 
rrifmm 
rrifmm 
rrisat 
rrisat 





ENCAPSULATION-1 
ENCAPSULATION-1 
ENCAPSULATION-2 
ENCAPSULATION-2 


mps-raft 
mps-raft 





e-net 

e-net 
directvdata 
directvdata 
cops 

cops 

enpc 

enpc 

caps-lm 
caps-lm 
sah-lm 

sah-lm 
cart-—o-rama 
cart-—o-rama 
fg-fps 

fg-fps 

fg-gip 

fg-gip 
dyniplookup 
dyniplookup 
rib-slm 
rib-slm 
cytel-lm 
cytel-lm 
transview 
transview 
pdrncs 

pdrncs 
mcs-fastmail 
mcs-fastmail 
opsession-clnt 
opsession-clnt 
opsession-srvr 
opsession-srvr 
odette-ftp 
odette-ftp 
mysql 

mysql 


opsession-prxy 
opsession-prxy 


tns-server 
tns-server 
tns-adv 
tns-adv 
dyna-access 
dyna-access 
mcns-tel-ret 
mcns-tel-ret 
appman-server 
appman-server 
uorb 

uorb 

uohost 
uohost 

cdid 

cdid 
aicc-cmi 
aicc-cmi 
vsaiport 
vsaiport 
SSrip 

ssrip 
sdt-1lmd 
sdt-1md 


officelink2000 
officelink2000 


vnsstr 
vnsstr 
active-net 
sftu 

sftu 


3286/tc 
3286/ud 
3287/tc 
3287/ud 
3288/tc 
3288/ud 
3289/tc 
3289/ud 
3290/tc 
3290/ud 
3291/tc 
3291/ud 
3292/tc 
3292/ud 
3293/tc 
3293/ud 
3294/tc 
3294/ud 
3295/tc 
3295/ud 
3296/tc 
3296/ud 
3297/tc 
3297/ud 
3298/tc 
3298/ud 
3299/tc 
3299/ud 
3302/tc 
3302/ud 
3303/te 
3303/ud 
3304/tc 
3304/ud 
3305/te 
3305/ud 
3306/tc 
3306/ud 
3307/tc 
3307/ud 
3308/tc 
3308/ud 
3309/tc 
3309/ud 
3310/te 
3310/ud 
3311/tc 
3311/ud 
3312/tc 
3312/ud 
3313/te 
3313/ud 
3314/tc 
3314/ud 
3315/tc 
3315/ud 
3316/tc 
3316/ud 
33157 /te 
3317/ud 
3318/tec 
3318/ud 
3319/te 
3319/ud 
3320/tc 
3320/ud 
3321/tc 
3321/ud 
3322-33 
3326/tc 
3326/ud 
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E-Net 

E-Net 
DIRECTVDATA 
DIRECTVDATA 
COPS 

COPS 

ENPC 

ENPC 

CAPS LOGISTICS 
CAPS LOGISTICS 
S A Holditch & 
S A Holditch & 
Cart O Rama 
Cart O Rama 
fg-fps 





fg-fps 
fg-gip 
fg-gip 
Dynamic IP 
Dynamic IP 
Rib License 
Rib License 
Cytel Mgr 
Cytel Mgr 
Transview 
Transview 
pdrncs 
pdrncs 

MCS Fastmai 
MCS Fastmai 
P Session 
P Session 
P Session 
P Session 


Mgr 
Mgr 


1 

1 
Clt 
Cclt 
Serv 
Serv 


DETTE-FTP 
DETTE-FTP 
ySQL 

ysQL 

P Session 
P Session 
NS Server 
NS Server 
NS ADV 

ND ADV 
Dyna Access 
Dyna Access 
MCNS Tel Ret 
MCNS Tel Ret 
Application 
Application 
Unify Object 
Unify Object 
Unify Object 
Unify Object 
CDID 

CDID 

AICC/CMI 
AICC/CMI 

VSAI PORT 

VSAI PORT 

Swith to Swith 
Swith to Swith 
DI License Mgr 
DI License Mgr 
ffice Link 2000 
ffice Link 2000 
NSSTR 
NSSTR 
ctive 
FTU 
FTU 


Proxy 
Proxy 


HAHHOOREOOCOOCO 





Networks 
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12f 

12f 

l2tp 

12tp 
deskshare 
deskshare 
bces-broker 
bces-broker 
slingshot 
slingshot 
jetform 
jetform 
vdmplay 
vdmplay 
gat-lmd 
gat-lmd 
centra 

centra 

impera 

impera 
pptconference 
pptconference 
registrar 
registrar 
conferencetalk 
conferencetalk 
sesi-lm 
sesi-lm 
houdini-lm 
houdini-lm 
xmsg 

xmsg 

fj-hdnet 
fj-hdnet 
h323gatedisc 
h323gatedisc 
h323gatestat 
h323gatestat 
h323hostcall 
h323hostcall 
CAReoL 

caicci 

hks-1lm 

hks-1lm 

pptp 

pptp 
csbphonemaster 
csbphonemaster 
iden-ralp 
iden-ralp 
iberiagames 
iberiagames 
winddx 

winddx 
telindus 
telindus 
roketz 

roketz 

msiccp 

msiccp 
proxim 
proxim 

siipat 

siipat 
cambertx-1m 
cambertx-1m 
privatechat 
privatechat 
street-—stream 
street-—stream 
ultimad 





1701/ 
1701/ 
1701/ 
1701/ 
1702/ 
1702/ 
1704/ 
1704/ 
1705/ 
1705/ 
1706/ 
1706/ 
1707/ 
1707/ 
1708/ 
1708/ 
1709/ 
1709/ 
1710/ 
1710/ 
1711/ 
1711/ 
1712/ 
1712/ 
IAS 
1713/ 
1714/ 
1714/ 
1715/ 
1715/ 
1716/ 
1716/ 
1717/ 
TELL 
1718/ 
1718/ 
1719/ 
1719/ 
1720/ 
1720/ 
1721/ 
1721/ 
1722/ 
1722/ 
1723/ 
1723/ 
1724/ 
1724/ 
1725/7 
1725/ 
1726/ 
1726/ 
1727/ 
1727/ 
1728/ 
1728/ 
1730/ 
1730/ 
1731/ 
1731/ 
1732/ 
1732/ 
1733/ 
1733/ 
1734/ 
1734/ 
1735/ 
1735/ 
1736/ 
1736/ 
1737/ 





ep 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
top 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tep 
udp 
tcp 
udp 
EEp 














12f 

12f 

12tp 

12tp 
deskshare 
deskshare 
bces-broker 
bces-broker 
slingshot 
slingshot 
jetform 
jetform 
vdmplay 
vdmplay 
gat-lmd 
gat-lmd 
centra 

centra 

impera 

impera 
pptconference 
pptconference 
resource mon 
resource mon 
ConferenceTalk 
ConferenceTalk 
sesi-lm 
sesi-lm 
houdini-lm 
houdini-lm 
xmsg 

xmsg 

f j-hdnet 
fj-hdnet 
h323gatedisc 
h323gatedisc 
hn323gatestat 
h323gatestat 
h323hostcall 
h323hostcall 
CAREOT 

caicci 

HKS 

HKS 

pptp 

pptp 
csbphonemaster 
csbphonemaster 
iden-ralp 
iden-ralp 
IBERIAGAMES 
IBERIAGAMES 
winddx 

winddx 
TELINDUS 
TELINDUS 
roketz 

roketz 

MSICCP 

MSICCP 

proxim 
proxim 

SIMS 

SIMS 

Camber 

Camber 
PrivateChat 
PrivateChat 
street-—stream 
street-—stream 
ultimad 








bbars 

bbars 

egptim 

egptim 
hp-device-disc 
hp-device-disc 
mcs-calypsoicf 
mcs-calypsoicf 
mcs-messaging 
mcs-messaging 
mcs-mailsvr 
mcs-mailsvr 
ec-notes 
ec-notes 
irectv-—web 
irectv-—web 
irectv-soft 
irectv-soft 
irectv-tick 
irectv-tick 
irectv-catlg 
irectv-catlg 
anet-b 

anet-b 

anet-l 

anet-1l 

anet-m 

anet-m 

anet—h 

anet—h 

webtie 

webtie 
ms-cluster-net 
ms-cluster-net 
bnt-manager 
bnt-manager 
influence 
influence 
trnsprntproxy 
trnsprntproxy 
phoenix-rpc 
phoenix-rpc 
pangolin-laser 
pangolin-laser 
chevinservices 
chevinservices 
findviatv 
findviatv 
btrieve 
btrieve 

ssql 

ssql 

fatpipe 
fatpipe 

suitjd 

suitjd 
ordinox-dbase 
ordinox-—dbase 
upnotifyps 
upnotifyps 
adtech-test 
adtech-test 
mpsysrmsvr 
mpsysrmsvr 
wg-netforce 
wg-netforce 
kv-server 
kv-server 
kv-agent 
kv-agent 
dj-ilm 
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3327/tc 
3327/ud 
3328/tc 
3328/ud 
Sas oT he 
3329/ud 
3330/te 
3330/ud 
3331/te 
3331/ud 
3332 /te 
3332/ud 
3333/te 
3333/ud 
3334/tc 
3334/ud 
3335/te 
3335/ud 
3336/tc 
3336/ud 
ssa tthe 
3337/ud 
3338/tc 
3338/ud 
3339/te 
3339/ud 
3340/tc 
3340/ud 
3341/tc 
3341/ud 
3342/tc 
3342/ud 
3343/tc 
3343/ud 
3344/tc 
3344/ud 
3345/tc 
3345/ud 
3346/tc 
3346/ud 
3347/tc 
3347/ud 
3348/tc 
3348/ud 
3349/tc 
3349/ud 
3350/te 
3350/ud 
3351/tce 
3351/ud 
3352/tc 
3352/ud 
3353/te 
3353/ud 
3354/tc 
3354/ud 
3355/te 
3355/ud 
3356/te 
3356/ud 
3357/te 
3357/ud 
3358/tec 
3358/ud 
3359/te 
3359/ud 
3360/tc 
3360/ud 
3361/tc 
3361/ud 
ee Les: 
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BBARS 

BBARS 
Eaglepoint 
Eaglepoint 

HP Device Disc 
HP Device Disc 
MCS Calypso ICF 
MCS Calypso ICF 
MCS Messaging 
MCS Messaging 
MCS Mail Server 
MCS Mail Server 
DEC Notes 

DEC Notes 
Direct TV 
Direct TV 
Direct 
Direct TV 
Direct 
Direct TV 
Direct TV Data 
Direct TV Data 
OMF data 
OMF data 
OMF data 
OMF data 
OMF data 
OMF data 
OMF data 
OMF data 
WebTIE 
WebTIE 
MS Cluster Net 
MS Cluster Net 
BNT Manager 

BNT Manager 
Influence 
Influence 
Trnsprnt Proxy 
Trnsprnt Proxy 
Phoenix RPC 
Phoenix RPC 
Pangolin Laser 
Pangolin Laser 
Chevin Services 
Chevin Services 
FINDVIATV 
FINDVIATV 
BTRIEVE 

BTRIEVE 

SSQL 

SSQL 

FATPIPE 

FATPIPE 

UITJUD 

UITJD 

rdinox Dbase 
rdinox Dbase 
PNOTIFYPS 
PNOTIFYPS 
dtech Test IP 
dtech Test IP 
p Sys Rmsvr 

p Sys Rmsvr 
NetForce 
NetForce 
Server 
Server 

Agent 

Agent 

ILM 
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ultimad 
gamegenl 
gamegenl 
webaccess 
webaccess 
encore 

encore 
cisco-net-mgmt 
cisco-net-mgmt 
3Com-nsd 
3Com-nsd 
cinegrfx-lm 
cinegrfx-lm 
ncepm-ft 
ncepm-ft 
remote-winsock 
remote-winsock 
ftrapid-1 
ftrapid-1 
ftrapid-2 
ftrapid-2 
oracle-eml 
oracle-eml 
aspen-services 
aspen-services 
sslp 

sslp 

swiftnet 
swiftnet 
lofr-lm 
lofr-lm 
translogic-l1m 
translogic-l1m 
oracle-em2 
oracle-em2 
ms-streaming 
ms-streaming 
capfast-1md 
capfast-—1md 
cnhrp 

cnhrp 
tfitp-mcast 
tftp-mcast 
spss-lm 
spss-lm 
www-ldap-gw 
www-ldap-gw 
EE=0 

ft-0 


h 
er ee aa 
hb 





| 
~s 
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cca 7 
bmc-net-adm 
bmc-net-adm 
bmc-net-svc 
bmc-net-svc 
vaultbase 
vaultbase 
essweb-gw 
essweb-gw 


1737/udp 
1738/tcp 
1738/udp 
1739/tcp 
1739/udp 
1740/tcp 


174 
174 
174 
174 
174 
174 
174 
174 
174 
174 
174 
174 
174 
174 
174 
174 
174 
174 





174 


0/udp 
1/tcp 
1/udp 
2/tcp 
2/udp 
3/tcp 
3/udp 
4/tcp 
4/udp 
5/tcp 
5/udp 
6/tcp 
6/udp 
T/tcp 
7/udp 
8/tcp 
8/udp 
9/tcp 
9/udp 





1750/tcp 
1750/udp 
1751/tcp 
1751/udp 
1752/tcp 
1752/udp 
1753/tcp 
1753/udp 
1754/tcp 
1754/udp 
1755/tcep 
1755/udp 
1756/tcp 
1756/udp 
L7S7/tep 
1757/udp 
1758/tcp 
1758/udp 
1759/tcp 
1759/udp 
1760/tcp 
1760/udp 
1761/tcp 
1761/udp 
1762/tcp 
1762/udp 
1763/tcp 
1763/udp 
1764/tcp 
1764/udp 
1765/tcp 
1765/udp 
1766/tcp 
1766/udp 
1767/tcp 
1767/udp 
1768/tcp 
1768/udp 
1769/tcp 
1769/udp 
1770/tcp 
1770/udp 
1771/tcp 
1771/udp 
1772/tep 
1772/udp 











ultimad 
GameGenl 
GameGenl 
webaccess 
webaccess 
encore 

encore 
cisco-net-mgmt 
cisco-net-mgmt 
3Com-nsd 
3Com-nsd 
Cinema Graphics 
Cinema Graphics 
ncepm-ft 
ncepm-ft 
remote-winsock 
remote-winsock 
ftrapid-1 
ftrapid-1 
ftrapid-2 
ftrapid-2 
oracle-eml 
oracle-eml 
aspen-services 
aspen-services 
Simple Socket 
Simple Socket 
SwiftNet 
SwiftNet 

Leap of Faith 
Leap of Faith 
Translogic 
Translogic 
oracle-em2 
oracle-em2 
ms-streaming 
ms-streaming 
capfast-1md 
capfast-1md 
cnhrp 

cnhrp 
tftp-mcast 
tftp-mcast 
SPSS 

SPSS 
www-ldap-gw 
www-ldap-gw 
EEO 

ft-0 
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Ft=7 
bmc-net-adm 
bmc-net-adm 
bmc-net-svc 
bmc-net-svc 
vaultbase 
vaultbase 
EssWeb Gateway 
EssWeb Gateway 





dj-ilm 
nati-vi-server 
nati-vi-server 
creativeserver 
creativeserver 
contentserver 
contentserver 
creativepartnr 
creativepartnr 
satvid-datalnk 
tip2 

tip2 
lavenir-lm 
lavenir-lm 
cluster-disc 
cluster-disc 
vsnm-agent 
vsnm-agent 
cdborker 
cdbroker 
cogsys-lm 
cogsys-lm 
wsicopy 
wsicopy 
socorfs 
socorfs 
sns-channels 
sns-channels 
geneous 
geneous 
fujitsu-neat 
fujitsu-neat 
esp-lm 

esp-lm 
hp-clic 
hp-clic 
qnxnetman 
qnxnetman 
gprs-data 
gprs-sig 
backroomnet 
backroomnet 
cbserver 
cbserver 
ms-wbt-server 
ms-wbt-server 
dsc 

dsc 

savant 

savant 

efi-lm 

efi-lm 
d2k-tapestryl 
d2k-tapestryl 
d2k-tapestry2 
d2k-tapestry2 
dyna-lm 
dyna-lm 
printer_agent 
printer_agent 
cloanto-lm 
cloanto-lm 
mercantile 
mercantile 
csms 

csms 

csms2 

csms2 

filecast 
filecast 


# 





3362/ud 
3363/te 
3363/ud 
3364/tc 
3364/ud 
3365/te 
3365/ud 
3366/tc 
3366/ud 
3367-33 
3372/tc 
3372/ud 
SSISLES 
3373/ud 
3374/tc 
3374/ud 
3375/tc 
3375/ud 
3376/tc 
3376/ud 
3377/te 
3377/ud 
3378/tc 
3378/ud 
3379/CE 
3379/ud 
3380/tc 
3380/ud 
S38lyte 
3381/ud 
3382/tc 
3382/ud 
3383/tc 
3383/ud 
3384/tc 
3384/ud 
3385/tc 
3385/ud 
3386/tc 
3386/ud 
3387/tc 
3387/ud 
3388/tc 
3388/ud 
3389/tc 
3389/ud 
3390/tc 
3390/ud 
S201 / RS 
3391/ud 
SS9Z/te 
3392/ud 
3393/te 
3393/ud 
3394/tc 
3394/ud 
3395/te 
3395/ud 
3396/tc 
3396/ud 
3390776 
3397/ud 
3398/te 
3398/ud 
3399/tc 
3399/ud 
3400/tc 
3400/ud 
3401/tc 
3401/ud 
3402-3420 
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DJ ILM 

NATI Vi Server 
NATI Vi Server 
Creative Server 
Creative Server 
Content Server 
Content Server 
Creative Partner 
Creative Partner 
Satellite Video 
TIP 2 

TIP 2 

Lavenir 
Lavenir 
Cluster Disc 
Cluster Disc 
VSNM Agent 
VSNM Agent 

CD Broker 

CD Broker 
Cogsys Network 
Cogsys Network 
WSICOPY 
WSICOPY 
SOCORE'S 
SOCORE'S 

SNS Channels 
SNS Channels 
Geneous 
Geneous 
Fujitsu Network 
Fujitsu Network 
Enterprise 
Enterprise 
Cluster 
Hardware 
qnxnetman 
qnxnetman 

GPRS Data 

GPRS SIG 

Back Room Net 
Back Room Net 
CB Server 

CB Server 

MS WBT Server 
MS WBT Server 
Distributed 
Distributed 
SAVANT 

SAVANT 

EFI License 
EFI License 
D2K Tapestry 
D2K Tapestry 
D2K Tapestry 
D2K Tapestry 
Dyna (Elam) 
Dyna (Elam) 
Printer Agent 
Printer Agent 
Cloanto 
Cloanto 
Mercantile 
Mercantile 
CSMS 

CSMS 

CSMS2 

CSMS2 

filecast 
filecast 
Unassigned 


852 


kmscontrol 
kmscontrol 
global-dtserv 
global-dtserv 

# 

femis 

femis 
powerguardian 
powerguardian 
prodigy-intrnet 
prodigy-intrnet 
pharmasoft 
pharmasoft 
dpkeyserv 
dpkeyserv 
answersoft-lm 
answersoft-lm 
hp-hcip 

hp-hcip 


finle-lm 
fFinle-lm 
windlm 
windlm 
fFunk-logger 
fFunk-logger 
funk-license 
funk-license 
psmond 
psmond 
hello 

hello 

nmsp 

nmsp 

eal 

eal 
ibm-dt-2 
ibm-dt-2 
rsc-robot 
rsc-robot 
cera-bcm 
cera-bcm 
dpi-proxy 
dpi-proxy 
vocaltec-admin 
vocaltec-admin 
uma 

uma 

etp 

etp 

netrisk 
netrisk 
ansys-lim 
ansys-lim 
msmq 

msmq 
concomp1 
concomp1 
hp-hcip-gwy 
hp-hcip-gwy 
enl 

enl 
enl-name 
enl-name 
musiconline 
musiconline 
fhsp 

fhsp 
oracle-vp2 
oracle-vp2 
oracle-vpl 





TIS. 
1773/ 
1774/ 
1774/ 
1775/ 
1776/ 
1776/ 
1777/ 
1777/ 
1778/ 
1778/ 
1779/ 
1779/ 
1780/ 
1780/ 
1781/ 
1781/ 
1782/ 
1782/ 
1783 
1784/ 
1784/ 
1785/ 
1785/ 
1786/ 
1786/ 
1787/ 
1787/ 
1788/ 
1788/ 
1789/ 
1789/ 
1790/ 
1790/ 
1791/ 
1791/ 
1792/ 
1792/ 
1793/ 
1793/ 
1794/ 
1794/ 
IOS / 
1795/ 
1796/ 
1796/ 
1797/ 
1797/ 
1798/ 
1798/ 
1799/ 
1799/ 
1800/ 
1800/ 
1801/ 
1801/ 
1802/ 
1802/ 
1803/ 
1803/ 
1804/ 
1804/ 
1805/ 
1805/ 
1806/ 
1806/ 
1807/ 
1807/ 
1808/ 
1808/ 
1809/ 


tep 
udp 
tep 
udp 
tcp 
tcp 
udp 
tcp 
udp 
top 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 


tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
cp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tep 











KMSControl 
KMSControl 
global-dtserv 
global-dtserv 


FEMMIS 
FEMIS 
powerguardian 
powerguardian 
prodigy 
prodigy 
pharmasoft 
pharmasoft 
dpkeyserv 
dpkeyserv 
answersoft-—lm 
answersoft-—lm 
hp-hcip 
hp-hcip 
Decomissioned P 
Finle 

Finle 

Wind River 
Wind River 
fFunk-logger 
fFunk-logger 
funk-license 
funk-license 
psmond 
psmond 
hello 
hello 
arrative 
arrative 
EAL 

EAL 
ibm-dt-2 
ibm-dt-2 
rsc-robot 
rsc-robot 
cera-bcm 
cera-bcm 
dpi-proxy 
dpi-proxy 
Vocaltec Server 
Vocaltec Server 
UMA 

UMA 

Event Transfer 
Event Transfer 
ETRISK 

ETRISK 

ANSYS 

ANSYS 

S Message Que 
S Message Que 
ConComp1 
ConComp1 
HP-HCIP-GWY 
HP-HCIP-GWY 

ENL 

ENL 

ENL-Name 
ENL-Name 
Musiconline 
Musiconline 
Fujitsu Hot 
Fujitsu Hot 
Oracle-VP2 
Oracle-VP2 
Oracle-VP1 


Media 
Media 














bmap 

bmap 

# 

mira 

prsvp 

prsvp 

vat 

vat 
vat-control 
vat-control 
d3winosfi 
d3winosfi 
integral 
integral 
edm-manager 
edm-manager 
edm-stager 
edm-stager 
edm-std-notify 
edm-std-notify 
edm-adm-notify 
edm-adm-notify 
edm-mgr-sync 
edm-mgr-sync 
edm-mgr-cntrl 
edm-mgr-cntrl 
workflow 
workflow 

rest 

Eest 
ttcmremotectrl 
ttcmremotectrl 
pluribus 
pluribus 

3t 400 

3t 400 
3t400-ssl 
3t400-ssl 





ms-la 
ms-la 


watcomdebug 
watcomdebug 


harlequinorb 
harlequinorb 


vhd 
vhd 


v-one-spp 
v-one-spp 


giga-pocket 
giga-pocket 


pnbscada 
pnbscada 


udt_os 
udt_os 








mapper-nodemgr 
mapper-nodemgr 
mapper-mapethd 
mapper-mapethd 
mapper-—ws_ethd 
mapper-—ws_ethd 
centerline 

centerline 


3421/tc 
3421/ud 
3422-34 
3454/tc 
3455/te 
3455/ud 
3456/tc 
3456/ud 
3457/tec 
3457/ud 
3458/tc 
3458/ud 
3459/te 
3459/ud 
3460/tc 
3460/ud 
3461/tc 
3461/ud 
3462/tc 
3462/ud 
3463/tc 
3463/ud 
3464/tc 
3464/ud 
3465/tec 
3465/ud 
3466/tc 
3466/ud 
3467/tc 
3467/ud 
3468/tc 
3468/ud 
3469/tc 
3469/ud 
3470/tc 
3470/ud 
3471/tec 
3471/ud 
3472-35 
3535/te 
3535/ud 
3536-35 
3563/te 
3563/ud 
3564-36 
3672/tc 
3672/ud 
3673-38 
3802/tc 
3802/ud 
3803-38 
3845/tc 
3845/ud 
3846-38 
3862/tc 
3862/ud 
3863-38 
3875/tc 
3875/ud 
3876-38 
3900/tc 
3900/ud 
3901-39 
3984/tc 
3984/ud 
3985/te 
3985/ud 
3986/tc 
3986/ud 
3987/tc 
3987/ud 
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Ww 


ws 


i} 


b 


ra 


ws 


ry 


ws 


Ne} 


Ww 


Port 


list 


APPENDIX |D 


Bull Apprise 
Bull Apprise 
Unassigned 
Apple Remote 
RSVP Port 
RSVP Port 
VAT default 
VAT default 
VAT default 
VAT default 
D3WinOsfi 
DsWinOSFI 
TIP Integral 
TIP Integral 
DM Manger 
DM Manger 
DM Stager 
DM Stager 
DM STD Noti 
DM STD Noti 
DM ADM Noti 
DM ADM Noti 
DM MGR Sync 
DM MGR Sync 
DM MGR Cntr 
DM MGR Cntr 
WORKFLOW 
WORKFLOW 
RCST 

RCST 

TTCM Remote 
TTCM Remote 
Pluribus 
Pluribus 
3t 400 

3t 400 
3t400-ssl 
3t400-ssl 
Unassigned 
MS-LA 
MS-LA 
Unassigned 
Watcom Debug 
Watcom Debug 
Unassigned 
harlequinorb 
harlequinorb 
Unassigned 


isa 





HARA Pees 


Unassigned 
V-ONE Single 
V-ONE Single 
Unassigned 
GIGA-POCKET 
GIGA-POCKET 
Unassigned 
PNBSCADA 
PNBSCADA 
Unassigned 
Unidata UDT 
Unidata UDT 
Unassigned 
MAPPER netwo 
MAPPER netwo 
MAPPER TCP/I 
MAPPER TCP/I 
MAPPER 
MAPPER 
Centerline 
Centerline 











data 
data 
Ctrl 
Chri. 


fy 
fy 
fy 
fy 


1 
1 


Ctrl 
Ctrl 


OS 
OS 


rk 
rk 
P 
P 
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APPENDIX |D 
oracle-vpl 1809/udp Oracle-VP1 # 3988-3999 Unassigned 
jerand-lm 1810/tcp Jerand terabase 4000/tcp Terabase 
jerand-lm 1810/udp Jerand terabase 4000/udp Terabase 
scientia-sdb 1811/tcp Scientia-SDB newoak 4001/tcp NewOak 
scientia-sdb 1811/udp Scientia-SDB newoak 4001/udp NewOak 
radius 1812/tcp RADIUS pxc-spvr-ft 4002/tcp pxc-spvr-ft 
radius 1812/udp RADIUS pxc-spvr-ft 4002/udp pxc-spvr-ft 
radius-acct 1813/tcp RADIUS Acc oxo Ssplr-ft 4003/tcp oxc=solr=ft 
radius-acct 1813/udp RADIUS Acc pkxo-splr-ft 4003/udp pxc-splr-ft 
tdp-suite 1814/tcp TDP Suite pxc-roid 4004/tcp pxc-roid 
tdp-suite 1814/udp TDP Suite pxc-roid 4004/udp pxc-roid 
mmpft 1815/tcp MMPE'T pxc-pin 4005/tcp pxc-pin 
mmpft 1815/udp MMPE'T pxc-pin 4005/udp pxc-pin 
harp 1816/tcp HARP pxXC-Spvr 4006/tcp pxXC-Spvr 
harp 1816/udp HARP pxXC-Spvr 4006/udp pxXC-Spvr 
rkb-oscs 1817/tcp RKB-OSCS pxc-splr 4007/tcp pxc-splr 
rkb-oscs 1817/udp RKB-OSCS pxc-splr 4007/udp pxc-splr 
etftp 1818/tcp Enhanced TFTP netcheque 4008/tcp NetCheque acc 
etftp 1818/udp Enhanced TFTP netcheque 4008/udp NetCheque acc 
plato-lm 1819 /tep Plato chimera-hwm 4009/tcp Chimera HWM 
plato-lm 1819/udp Plato chimera-hwm 4009/udp Chimera HWM 
mcagent 1820/tcp mcagent samsung-unidex 4010/tcp Samsung Unidex 
mcagent 1820/udp mcagent samsung-unidex 4010/udp Samsung Unidex 
donnyworld 1821/tcp donnyworld altserviceboot 4011/tcp Alternate Boot 
donnyworld 1821/udp donnyworld altserviceboot 4011/udp Alternate Boot 
es-elmd 1822/tcp es-elmd pda-gate 4012/tcp PDA Gate 
es-elmd 1822/udp es-elmd pda-gate 4012/udp PDA Gate 
unisys-l1m 1823/tcp Unisys acl-manager 4013/tcp ACL Manager 
unisys-l1m 1823/udp Unisys acl-manager 4013/udp ACL Manager 
metrics-—pas 1824/tcp metrics-—pas taiclock 4014/tcp TAICLOCK 
metrics—pas 1824/udp metrics-—pas taiclock 4014/udp TAICLOCK 
direcpc-video 1825/tcp DirecPC Video talarian-mcastl 4015/tcp Talarian Mcast 
direcpc-video 1825/udp DirecPC Video talarian-mcast1l 4015/udp Talarian Mcast 
ardt 1826/tcp ARDT talarian-mcast2 4016/tcp Talarian Mcast 
ardt 1826/udp ARDT talarian-mcast2 4016/udp Talarian Mcast 
asi 1827/tcp ASI talarian-mcast3 4017/tcp Talarian Mcast 
asi 1827/udp ASI talarian-mcast3 4017/udp Talarian Mcast 
itm-mcell-u 1828/tcp itm-mcell-u talarian-mcast4 4018/tcp Talarian Mcast 
itm-mcell-u 1828/udp itm-mcell-u talarian-mcast4 4018/udp Talarian Mcast 
optika-emedia 1829/tcp Optika eMedia talarian-mcast5 4019/tcp Talarian Mcast 
optika-emedia 1829/udp Optika eMedia talarian-mcast5 4019/udp Talarian Mcast 
net 8-cman 1830/tcp Oracle Net8 # 4020-4095 Unassigned 
net 8-cman 1830/udp Oracle Net8 bre 4096/tcp BRE 
myrtle 1831/tcp Myrtle bre 4096/udp BRE 
myrtle 1831/udp Myrtle patrolview 4097/tcp Patrol View 
tht-treasure 1832/tcp ThoughtTreasure patrolview 4097/udp Patrol View 
tht-treasure 1832/udp ThoughtTreasure drmsfsd 4098/tcp drmsfsd 
udpradio 1833/tcp udpradio drmsfsd 4098/udp drmsfsd 
udpradio 1833/udp udpradio dpcp 4099/tcp DPCP 
ardusuni 1834/tcp ARDUS Unicast dpcp 4099/udp DPCP 
ardusuni 1834/udp ARDUS Unicast # 4100-4131 Unassigned 
ardusmul 1835/tcp ARDUS Multicast nuts_dem 4132/tcp NUTS Daemon 
ardusmul 1835/udp ARDUS Multicast nuts_dem 4132/udp NUTS Daemon 
ste-smsc 1836/tcp ste-smsc nuts_bootp 4133/tcp NUTS Bootp Serv 
ste-smsc 1836/udp ste-smsc nuts_bootp 4133/udp NUTS Bootp Serv 
csoftl 1837/tcp csoftl nifty-hmi 4134/tcp NIFTY-Serve HMI 
csoftl 1837/udp csoftl nifty-hmi 4134/udp NIFTY-Serve HMI 
talnet 1838/tcp TALNET oirtgsvc 4141/tcp Workflow Server 
talnet 1838/udp TALNET oirtgsvc 4141/udp Workflow Server 
netopia-vol 1839/tcp netopia-vol oidocsvec 4142/tcp Document Server 
netopia-vol 1839/udp netopia-vol oidocsvec 4142/udp Document Server 
netopia-vo2 1840/tcp netopia-vo2 oidsr 4143/tcp Document Replic 
netopia-vo2 1840/udp netopia-vo2 oidsr 4143/udp Document Replic 
netopia-vo3 1841/tcp netopia-vo3 # 4144-4159 Unassigned 
netopia-vo3 1841/udp netopia-vo3 jini-discovery 4160/tcp Jini Discovery 
netopia-vo4 1842/tcp netopia-vo4 jini-discovery 4160/udp Jini Discovery 
netopia-vo4 1842/udp netopia-vo4 # 4161-4198 Unassigned 
netopia-vo5 1843/tcp netopia-vo5 eims-admin AlLO9/tep EIMS ADMIN 
netopia-vo5 1843/udp netopia-vo5 eims-admin 4199/udp EIMS ADMIN 
direcpc-dll 1844/tcp DirecPC-DLL vrml-multi-use 4200-4299 VRML Multi 
direcpc-dll 1844/udp DirecPC-DLL corelccam 4300/tcp Corel CCam 
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# 

gsi 

gsi 

ctcd 

ctcd 

# 
sunscalar-svc 
sunscalar-svc 
lecroy-vicp 
lecroy-vicp 
techra-server 
techra-server 
msnp 

msnp 
paradym-3lport 
paradym-3lport 
entp 

entp 

# 
sunscalar-dns 
sunscalar-dns 
canocentral0 
canocentral0 
canocentrall 
canocentrall 
fjmpjps 
fjmpjps 
fjswapsnp 
fjswapsnp 


ibm-mqseries2 
ibm-mqseries2 


vista-4gl 
vista-4gl 





mc2studios 
mc2studios 
ssdp 

ssdp 
fjicl-tep-a 
fjicl-tep-a 
fjicl-tep-b 
fjicl-tep-b 
linkname 
linkname 
fjicl-tep-c 
fjicl-tep-c 
sugp 

sugp 

tpmd 

tpmd 
intrastar 
intrastar 
dawn 

dawn 
global-wlink 
global-wlink 
ultrabac 
ultrabac 

mtp 

mtp 

rhp-iibp 
rhp-iibp 
armadp 
armadp 
elm-momentum 
elm-momentum 
facelink 
facelink 
persona 





1845-1849 


1850/ 
1850/ 
1851/ 
1851/ 


1852-1859 


1860/ 
1860/ 
1861/ 
1861/ 
1862/ 
1862/ 
1863/ 
1863/ 
1864/ 
1864/ 
1865/ 
1865/ 


1866-1869 


1870/ 
1870/ 
1871/ 
1871/ 
1872/ 
1872/ 
1873/ 
1873/ 
1874/ 
1874/ 


1875-1880 


1881/ 
1881/ 
1882- 
1895/ 
1895/ 
1896- 
1899/ 
1899/ 
1900/ 
1900/ 
1901/ 
1901/ 
1902/ 
1902/ 
1903/ 
1903/ 
1904/ 
1904/ 
1905/ 
1905/ 
1906/ 
1906/ 
1907/ 
1907/ 
1908/ 
1908/ 
1909/ 
1909/ 
1910/ 
1910/ 
1911/ 
1911/ 
1912/ 
1912/ 
1913/ 
1913/ 
1914/ 
1914/ 
1915/ 
1915/ 
1916/ 


tcp 
udp 
tcp 
udp 


tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tep 
udp 





tcp 
udp 
tcp 
udp 
tcp 
udp 
top 
udp 
tcp 
udp 


tcp 
udp 


tcp 
udp 


tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
top 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
164 9) 





1894 


1898 


Unassigned 

GSI 

GSI 

ctcd 

ctcd 
Unassigned 
SunSCALAR 
SunSCALAR 
LeCroy VICP 
LeCroy VICP 
techra-server 
techra-server 
MSNP 

MSNP 

Paradym 31 Port 
Paradym 31 Port 
ENTP 

ENTP 

Unassigned 
SunSCALAR DNS 
SunSCALAR DNS 
Cano Central 0 
Cano Central 0 
Cano Central 1 
Cano Central 1 
Fjmpjps 

Fjmpjps 
Fjswapsnp 
Fjswapsnp 
Unassigned 

IBM MQSeries 
IBM MQSeries 
Unassigned 
Vista 4GL 
Vista 4GL 
Unassigned 
MC2Studios 
MC2Studio 

SSDP 
SSDP 
Fujitsu ICL 
Fujitsu ICL 
Fujitsu ICL 
Fujitsu ICL 
Local Link Name 
Local Link Name 
Fujitsu ICL C 
Fujitsu ICL C 
Secure UP.Link 
Secure UP.Link 
TPortMapperReqg 
TPortMapperReg 
IntraSTAR 
IntraSTAR 

Dawn 

Dawn 

Global World 
Global World 
ultrabac 
ultrabac 
Starlight 
Starlight 
rhp-iibp 
rhp-iibp 

armadp 

armadp 
Elm-Momentum 
Elm-Momentum 
FACELINK 
FACELINK 
Persoft Persona 


DWP YP 











corelccam 

# 

rwhois 

rwhois 
unicall 
unicall 
vinainstall 
vinainstall 
m4-network-as 
m4-network-as 
elanlm 
elanlm 
lansurveyor 
lansurveyor 
itose 

itose 
fsportmap 
fsportmap 
net-—device 
net-—device 
picy-net-svcs 
picy-net-svcs 
# 

f£5-iquery 
f£5-iquery 

# 

saris 

saris 

pharos 

pharos 

krb524 

krb524 
nv-video 
nv-video 
upnotifyp 
upnotifyp 
nl-fwp 

nl-fwp 
nl-rmgmt 
nl-rmgmt 
asc-slmd 
asc-slmd 
privatewire 
privatewire 
camp 

camp 
ctisystemmsg 
ctisystemmsg 
ctiprogramload 
ctiprogramload 
nssalertmgr 
nssalertmgr 
nssagentmgr 
nssagentmgr 
prchat-user 
prchat-user 
prchat-server 
prchat-server 
prRegister 
prRegister 

# 

sae-urn 
sae-urn 
urn-x-cdchoice 
urn-x-cdchoice 
worldscores 
worldscores 
sf-lm 

sf-lm 
lanner-lm 
lanner-lm 


4300/ud 
4301-43 
4321/tc 
4321/ud 
4343/tc 
4343/ud 
4344/tc 
4344/ud 
4345/tc 
4345/ud 
4346/tc 
4346/ud 
4347/tc 
4347/ud 
4348/tc 
4348/ud 
4349/tc 
4349/ud 
4350/tc 
4350/ud 
4351/tc 
4351/ud 
4352 

4353/te 
4353/ud 
4354-44 
4442/tc 
4442/ud 
4443/tc 
4443/ud 
4444/tc 
4444/ud 
4444/tc 
4444/ud 
4445/tc 
4445/ud 
4446/tc 
4446/ud 
4447/tc 
4447/ud 
4448/tc 
4448/ud 
4449/tc 
4449/ud 
4450/tc 
4450/ud 
4451/tec 
4451/ud 
4452/tc 
4452/ud 
4453/tc 
4453/ud 
4454/tc 
4454/ud 
4455/tc 
4455/ud 
4456/tc 
4456/ud 
4457/tc 
4457/ud 
4458-44 
4500/tc 
4500/ud 
4501/te 
4501/ud 
4545/tc 
4545/ud 
4546/tc 
4546/ud 
4547/tc 
4547/ud 
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Port list 
APPENDIX |D 


Corel CCam 
Unassigned 
Remote Who Is 
Remote Who Is 
UNICALL 

UNICALL 
VinalInstall 
VinalInstall 
Macro 4 Network 
Macro 4 Network 
ELAN LM 

ELAN LM 

LAN Surveyor 

LAN Surveyor 
ITOSE 

ITOSE 

FileSys Port Map 
FileSys Port Map 
Net Device 

Net Device 

PLCY Net Serv 
PLCY Net Serv 
Unassigned 

F5 iQuery 

F5 iQuery 
Unassigned 

Saris 

Saris 

Pharos 

Pharos 

RB524 

RB524 

NV Video default 
NV Video default 
UPNOTIFYP 
UPNOTIFYP 

N1—-FWP 

N1—-FWP 

N1—-RMGMT 
N1—-RMGMT 

ASC Licence Mgr 
ASC Licence Mgr 
PrivateWire 
PrivateWire 

Camp 
Camp 
CEL 
CTI 
CLL 
Crt 
NSS 
NSS 





System Msg 
System Msg 
Program Load 
Program Load 
Alert Mgr 
Alert Mgr 
NSS Agent Mgr 
NSS Agent Mgr 
PR Chat User 
PR Chat User 
PR Chat Server 
PR Chat Server 
PR Register 

PR Register 
Unassigned 
sae-urn 
sae-urn 
urn-x-cdchoice 
urn-x-cdchoice 
WorldScores 
WorldScores 

SF (Sentinel) 
SF (Sentinel) 
Lanner 

Lanner 
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APPENDIX |D 
persona 1916/udp Persoft Persona # 4548-4566 Unassigned 
noagent 1917/tcp nOAgent tram 4567/tcp TRAM 
noagent 1917/udp nOAgent tram 4567/udp TRAM 
can-nds 1918/tcp Candle NDS bmc-reporting 4568/tcp BMC Reporting 
can-nds 1918/udp Candle NDS bmc-reporting 4568/udp BMC Reporting 
can-dch 1919/tcp Candle DCH # 4569-4599 Unassigned 
can-dch 1919/udp Candle DCH piranhal 4600/tcp Piranhal 
can-ferret 1920/tcp Candle FERRET piranhal 4600/udp Piranhal 
can-ferret 1920/udp Candle FERRET piranha2 4601/tcp Piranha2 
noadmin 1921/tcp NoAdmin piranha2 4601/udp Piranha2 
noadmin 1921/udp NoAdmin # 4602-4671 Unassigned 
tapestry 1922/tcp Tapestry rfa 4672/tcp remote file acc 
tapestry 1922/udp Tapestry rfa 4672/udp remote file acc 
spice 1923/tcp SPICE # 4673-4799 Unassigned 
spice 1923/udp SPICE iims 4800/tcp Icona Instant 
xiip 1924/tcp XIIP iims 4800/udp Icona Instant 
xiip 1924/udp XIIP iwec 4801/tcp Icona Web 
# 1925-1929 Unassigned iwec 4801/udp Icona Web 
driveappserver 1930/tcp Drive AppServer ilss 4802/tcp Icona 
driveappserver 1930/udp Drive AppServer ilss 4802/udp Icona 
amdsched 1931/tcp AMD SCHED # 4803-4826 Unassigned 
amdsched 1931/udp AMD SCHED htcp 4827/tcp HTCP 
# 1932-1943 Unassigned htcp 4827/udp HTCP 
close-combat 1944/tcp close-combat # 4828-4836 Unassigned 
close-combat 1944/udp close-combat varadero-0 4837/tcp Varadero-0 
dialogic-elmd 1945/tcp dialogic-elmd varadero-0 4837/udp Varadero-0 
dialogic-elmd 1945/udp dialogic-elmd varadero-l 4838/tcp Varadero- 
tekpls 1946/tcp tekpls varadero-1 4838/udp Varadero- 
tekpls 1946/udp tekpls varadero-2 4839/udp Varadero-2 
hlserver 1947/tcp hlserver varadero-2 4839/udp Varadero-2 
hlserver 1947/udp hlserver # 4840-4867 Unassigned 
eye2eye 1948/tcp eye2eye phrelay 4868/tcp Photon Relay 
eye2eye 1948/udp eye2eye phrelay 4868/udp Photon Relay 
ismaeasdaqlive 1949/tcp ISMA Easdaq Live phrelaydbg 4869/tcp Photon Relay 
ismaeasdaqlive 1949/udp ISMA Easdaq Live phrelaydbg 4869/udp Photon Relay 
ismaeasdaqtest 1950/tcp ISMA Easdaq Test # 4870-4884 Unassigned 
ismaeasdaqtest 1950/udp ISMA Easdaq Test abbs 4885/tcp ABBS 
bces-lmserver A951 /tep bces-lmserver abbs 4885/udp ABBS 
bcs-lmserver 1951/udp bcs-lmserver # 4886-4982 Unassigned 
mpnjsc 1952/tcp mpnjsc att-intercom 4983/tcp AT&T Intercom 
mpnjsc 1952/udp mpnjsc att-intercom 4983/udp AT&T Intercom 
rapidbase 1953/tcp Rapid Base # 4984-4999 Unassigned 
rapidbase 1953/udp Rapid Base commplex-—main 5000/tcp 
# 1954-1960 Unassigned commplex-main 5000/udp 
bts-appserver 1961/tep BTS APPSERVER commplex-link 5001/tcp 
bts-appserver 1961/udp BTS APPSERVER commplex-link 5001/udp 
biap-mp 1962/tcp BIAP-—MP rfe 5002/tcp radio free eth 
biap-mp 1962/udp BIAP-—MP rfe 5002/udp radio free eth 
webmachine 1863/tep WebMachine fmpro-internal 5003/tcp FileMaker, Inc. 
webmachine 1963/udp WebMachine fmpro-internal 5003/udp FileMaker, Inc. 
solid-e-engine 1964/tcp SOLID E ENGINE avt-profile-1l 5004/tcp avt-profile-1l 
solid-e-engine 1964/udp SOLID E ENGINE avt-profile-1 5004/udp avt-profile-1 
tivoli-npm 1965/tcp Tivoli NPM avt-profile-2 5005/tcp avt-profile-2 
tivoli-npm 1965/udp Tivoli NPM avt-profile-2 5005/udp avt-profile-2 
slush 1966/tcp Slush wsm-server 5006/tcp wsm server 
slush 1966/udp Slush wsm-server 5006/udp wsm server 
sns-quote 1967/tcp SNS Quote wsm-server-ssl 5007/tcp wsm server ssl 
sns-quote 1967/udp SNS Quote wsm-server-ssl 5007/udp wsm server ssl 
# 1968-1971 Unassigned # 5008-5009 Unassigned 
intersys-cache 1972/tcp Cache telelpathstart 5010/tcp TelepathStart 
intersys-cache 1972/udp Cache telelpathstart 5010/udp TelepathStart 
disrap 1973/tcp Data Link telelpathattack 5011/tcp TelepathAttack 
disrap Is73syudp Data Link telelpathattack 5011/udp TelepathAttack 
dip 1974/tcp DRP # 5012-5019 Unassigned 
drp 1974/udp DRP zenginkyo-1 5020/tcp zenginkyo-1 
tcoflashagent 1975/tcp TCO Flash Agent zenginkyo-1 5020/udp zenginkyo-1 
tcoflashagent 1975/udp TCO Flash Agent zenginkyo-2 5021/tcp zenginkyo-2 
tcoregagent 1976/tcp TCO Reg Agent zenginkyo-2 5021/udp zenginkyo-2 
tcoregagent 1976/udp TCO Reg Agent # 5022-5041 Unassigned 
tcoaddressbook 1977/tcp TCO Address Book asnaacceler8db 5042/tcp asnaacceler8db 
tcoaddressbook 1977/udp TCO Address Book asnaacceler8db 5042/udp asnaacceler8db 
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unisql 
unisql 
unisql-java 
unisql—-java 


bb 

bb 

hsrp 

hsrp 
licensedaemon 
licensedaemon 
tr-rsrb-pl 
tr-rsrb-pl 
tr-rerb—p2 
tr-rsrb-p2 
tr-rsrb-p3 
tr-rsrb-p3 
mshnet 
mshnet 
stun-pl 
stun-pl 
stun-p2 
stun-p2 
stun-p3 
stun-p3 
ipsendmsg 
ipsendmsg 
snmp-tcp-port 
snmp-tcp-port 
stun-port 
stun-port 
perf-port 
perf-port 
tr-rsrb-port 
tr-rsrb-port 
gdp-port 
gdp-port 
x25-svc-port 
x25-svc-port 
tcp-id-port 
tcp-id-port 
callbook 
callbook 

dc 

wizard 

globe 

globe 
mailbox 

emce 

berknet 
oracle 
invokator 
raid-cc 
dectalk 
raid-am 

conf 
terminaldb 
news 
whosockami 
search 
pipe_server 
raid-cc 
servserv 
ttyinfo 
raid-ac 
raid-am 
raid-cd 
trofft 
raid-sf 
cypress 
raid-cs 





1978/ 
1978/ 
1979/ 
1979/ 


1980-1983 


1984/ 
1984/ 
1985/ 
1985/ 
1986/ 
1986/ 
1987/ 
1987/ 
1988/ 
1988/ 
1989/ 
1989/ 
1989/ 
1989/ 
1990/ 
1990/ 
1991/ 
1991/ 
1992/ 
1992/ 
1992/ 
1992/ 
1993/ 
1993/ 
1994/ 
1994/ 
1995/ 
1995/ 
1996/ 
1996/ 
LOOT 
1997/ 
1998/ 
1998/ 
1999/ 
1999/ 
2000/ 
2000/ 
2001/ 
2001/ 
2002/ 
2002/ 
2004/ 
2004/ 
2005/ 
2005/ 
2006/ 
2006/ 
2007/ 
2007/ 
2008/ 
2008/ 
2009/ 
2009/ 
2010/ 
2010/ 
2011/ 
2011/ 
2012/ 
2012/ 
2013/ 
2013/ 
2014/ 
2014/ 
2015/ 
2015/ 


top 
udp 
top 
udp 


tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
op 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 











UniSOQL 
UniSOQL 
UniSQL Java 
UniSQL Java 
Unassigned 
BB 
BB 
Hot Standby 
Hot Standby 
cisco 
cisco 
cisco 
cisco 
cisco 
cisco 
cisco RSRB 
cisco RSRB 
MHSnet system 
MHSnet system 
cisco STUN 1 
cisco STUN 
cisco STUN 
cisco STUN 
cisco STUN 
cisco STUN 
IPsendmsg 
IPsendmsg 
cisco SNMP TCP 
cisco SNMP TCP 
cisco serial 
cisco serial 
cisco perf port 
cisco perf port 
cisco Remote SRB 
cisco Remote SRB 
cisco Gateway 
cisco Gateway 
cisco X.25 (XOT) 
cisco X.25 (XOT) 
cisco ident port 
cisco ident port 





RSRB 
RSRB 
RSRB 
RSRB 


WWNNEF 


curry 


CCWS 


mm conf 


raid 


raid 





# 

mmcc 

mmcc 
ita-agent 
ita-agent 
ita-manager 
ita-manager 


unot 

unot 

sip 

sip 
i-net-—2000-npr 
i-net-—2000-npr 


powerschool 
powerschool 


sentinel-lm 
sentinel-lm 


sentlim-srv2srv 
sentlm-srv2srv 


rmonitor_secure 
rmonitor_secure 








atmp 

atmp 
esri_sde 
esri_sde 
sde-discovery 
sde-discovery 
# 

ife_icorp 
ife_icorp 

# 

aol 

aol 

aol-1 

aol-1 

aol=2Z 

aol-2 

aol-3 

aol-3 

= 
targus-aibl 
targus-aibl 
targus-aib2 
targus-—aib2 
targus-tntsl 
targus-tntsl 
targus-tnts2 
targus-tnts2 


padl2sim 
padl2sim 


pk 
pk 


hacl-hb 
hacl-hb 
hacl-gs 
hacl-gs 
hacl-cfg 
hacl-cfg 
hacl-probe 
hacl-probe 








5043-50 
5050/tc 
5050/ud 
SGal7 ts 
5051/ud 
5052/tc 
5052/ud 
5053-50 
5055/te 
5055/ud 
5056-50 
5060/tc 
5060/ud 
5061-50 
5069/tc 
5069/ud 
5070 

5071/tc 
5071/ud 
5072-50 
5093/te 
5093/ud 
5094-50 





5201/tc 
5201/ud 
5202/tc 
5202/ud 
5203/tc 
5203/ud 
5204-52 
5236/tc 
5236/ud 
5237-52 
5272/tc 
5272/ud 
5273-52 
5300/tc 
5300/ud 
5301/tc 
5301/ud 
5302/tc 
5302/ud 
5303/te 
5303/ud 
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Port list 
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Unassigned 
multimedia 
multimedia 
ITA Agent 
ITA Agent 
ITA Manager 
ITA Manager 
Unassigned 
UNOT 

UNOT 
Unassigned 
SIP 

SIP 
Unassigned 
I/Net 2000-NPR 
I/Net 2000-NPR 
Unassigned 
PowerSchool 
PowerSchool 
Unassigned 
Sentinel LM 
Sentinel LM 
Unassigned 
SentLM Srv2Srv 
SentLM Srv2Srv 
Unassigned 
RMONITOR SECURE 
RMONITOR SECURE 
Unassigned 
Ascend Tunnel 
Ascend Tunnel 
ESRI SDE 

ESRI SDE 

ESRI SDE 

ESRI SDE 
Unassigned 
ife_lcorp 
ife_lcorp 
Unassigned 
America-Online 
America-Online 
AmericaOnlinel 
AmericaOnlinel 
AmericaOnline2 
AmericaOnline2 
AmericaOnline3 
AmericaOnline3 
Unassigned 
Targus AIB 
Targus AIB 
Targus AIB 
Targus AIB 
Targus TNTS 1 
Targus TNTS 1 
Targus TINTS 2 
Targus TINTS 2 
Unassigned 











I: KS eS 


Unassigned 
PK 
PK 
Unassigned 
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bootserver 
bootserver 
cypress-stat 
bootclient 
terminaldb 
rellpack 
whosockami 
about 
xinupageserver 
xinupageserver 
servexec 
xinuexpansionl 
down 
xinuexpansion2 
xinuexpansion3 
xinuexpansion3 
xinuexpansion4 
xinuexpansion4 
ellpack 

xribs 

scrabble 
scrabble 
shadowserver 
shadowserver 
submitserver 
submitserver 
device2 
device2 
blackboard 
blackboard 
glogger 
glogger 
scoremgr 
scoremgr 
imsidoc 
imsidoc 
objectmanager 
objectmanager 
lam 

lam 

interbase 
interbase 

isis 

isis 
isis-bcast 
isis-bcast 
rimsl 

rimsl 

cdfunc 

cdfunc 

sdfunc 

sdfunc 

dls 

dls 
dis-monitor 
dis-monitor 
shilp 

shilp 

nfs 

nfs 

dlsrpn 

dlsrpn 

dlswpn 

dlswpn 

lrp 

lrp 

prp 

prp 

descent3 
descent3 
nbx-cc 


2016/ 
2016/ 
2017/ 
2017/ 
2018/ 
2018/ 
2019/ 
2019/ 
2020/ 
2020/ 
2021/ 
2021/ 
2022/ 
2022/ 
2023/ 
2023/ 
2024/ 
2024/ 
2025/ 
2025/ 
2026/ 
2026/ 
2027/ 
2027/ 
2028/ 
2028/ 
2030/ 
2030/ 
2032/ 
2032/ 
2033/ 
2033/ 
2034/ 
2034/ 
2035/ 
2035/ 
2038/ 
2038/ 
2040/ 
2040/ 
2041/ 
2041/ 
2042/ 
2042/ 
2043/ 
2043/ 
2044/ 
2044/ 
2045/ 
2045/ 
2046/ 
2046/ 
2047/ 
2047/ 
2048/ 
2048/ 
2049/ 
2049/ 
2049/ 
2049/ 
2065/ 
2065/ 
2067/ 
2067/ 
2090/ 
2090/ 
2091/ 
2091/ 
2092/ 
2092/ 
2093/ 





tep 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
top 
udp 
top 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
top 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
top 
udp 
cep 











isis 
isis 
isis-—bcast 
isis-—bcast 


Network File Sys 
Network File Sys 
Data Link Switch 
Data Link Switch 
Data Link Switch 
Data Link Switch 
Load Report 

Load Report 

PRP 

PRP 

Descent 3 
Descent 3 

NBX CC 





hacl-local 
hacl-local 
hacl-test 
hacl-test 
sun-mc-grp 
sun-mc-grp 
sco-aip 
sco-aip 
cfengine 
cfengine 
jprinter 
jprinter 
outlaws 
outlaws 
tmlogin 
tmlogin 

# 

excerpt 
excerpt 
excerpts 
excerpts 

mftp 

mftp 
hpoms-ci-lstn 
hpoms-ci-lstn 
hpoms-—dps-lstn 
hpoms-—dps-lstn 
netsupport 
netsupport 
systemics-—sox 
systemics-—sox 
foresyte-clear 
foresyte-clear 
foresyte-sec 
foresyte-sec 
salient-dtasrv 
salient-dtasrv 
salient-usrmgr 
salient-usrmgr 
actnet 

actnet 
continuus 
continuus 
wwiotalk 
wwiotalk 
statusd 
statusd 
ns-server 
ns-server 
sns-gateway 
sns-gateway 
sns-agent 
sns-agent 
mcntp 

mcntp 

dj-ice 

dj-ice 
cylink-c 
cylink-c 
netsupport2 
netsupport2 
salient-mux 
salient-—mux 
virtualuser 
virtualuser 

# 

devbasic 
devbasic 
sco-peer-tta 
sco-peer-tta 
telaconsole 


5304/tc 


5304/ud 
5305/te 
5305/ud 
5306/tc 
5306/ud 
5307/tc 
5307/ud 
5308/tec 
5308/ud 
5309/te 
5309/ud 
5310/tc 
5310/ud 
5311/tc 
5311/ud 
5312-53 
5400/tc 
5400/ud 
5401/tc 
5401/ud 
5402/tc 
5402/ud 
5403/tc 
5403/ud 
5404/tc 
5404/ud 
5405/te 
5405/ud 
5406/tc 
5406/ud 
5407/tc 
5407/ud 
5408/tc 
5408/ud 
5409/tc 
5409/ud 


54 
54 
54 
54 
54 
54 
54 
54 
54 
54 
54 
54 
54 
54 
54 
54 
54 
54 
54 
54 


5420/tc 
5420/ud 
5421/tc 
5421/ud 
5422/tc 
5422/ud 
5423/tc 
5423/ud 
5424-54 
5426/tc 
5426/ud 
5427/tc 
5427/ud 





O/tc 
0/ud 
l/te 
1/ud 
2/tc 
2/ud 
3/te 
3/ud 
4/tc 
4/ud 
5/bC 
5/ud 
6/tc 
6/ud 
T/te 
7/ud 
8/tc 
8/ud 
9/te 
9/ud 





5428/tc 
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Sun 
Sun 


MC Group 
MC Group 
SCO AIP 

SCO AIP 
CFengine 
CFengine 

J Printer 

J Printer 
Outlaws 

Outlaws 

T™ Login 

T™ Login 
Unassigned 
Excerpt Search 
Excerpt Search 
Excerpt Search 
Excerpt Search 
MFTP 

MFTP 
HPOMS-—CI-LSTN 
HPOMS-CI-LSTN 
HPOMS-DPS-LSTN 
HPOMS-DPS-LSTN 
NetSupport 
NetSupport 
Systemics Sox 
Systemics Sox 
Foresyte-Clear 
Foresyte-Clear 
Foresyte-Sec 
Foresyte-Sec 
Salient Data 
Salient Data 
Salient User Mgr 
Salient User Mgr 
ActNet 

ActNet 
Continuus 
Continuus 
WWIOTALK 
WWIOTALK 
StatusD 

StatusD 

NS Server 

NS Server 

SNS Gateway 

SNS Gateway 

SNS Agent 

SNS Agent 

MCNTP 

MCNTP 

DJ-ICE 

DJ-ICE 

Cylink-C 
Cylink-C 

Net Support 2 
Net Support 2 
Salient MUX 
Salient MUX 
VIRTUALUSER 
VIRTUALUSER 
Unassigned 
DEVBASIC 
DEVBASIC 
SCO-PEER-TTA 
SCO-PEER-TTA 
TELACONSOLE 
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nbx-cc 

nbx-au 

nbx-au 
nbx-ser 
nbx-ser 
nbx-dir 
nbx-dir 

jet formpreview 
jet formpreview 
dialog-port 
dialog-port 
h2250-annex-g 
h2250-annex-g 
amiganetfs 
amiganetfs 
rtcm-scl104 
rtcm-scl104 
zephyr-srv 
zephyr-srv 
zephyr-clt 
zephyr-clt 
zephyr-hm 
zephyr-hm 
minipay 
minipay 

mzap 

mzap 
bintec-admin 
bintec-admin 
comcam 

comcam 
ergolight 
ergolight 
umsp 

umsp 

dsatp 

dsatp 
idonix-metanet 
idonix-metanet 
hsl-storm 
hsl-storm 
newheights 
newheights 
kdm 

kdm 

ccowemr 
ccowemr 
mentaclient 
mentaclient 
mentaserver 
mentaserver 
gsigatekeeper 
gsigatekeeper 
gqencp 

qencp 
scientia-ssdb 
scientia-ssdb 
caupc-remote 
caupc-remote 
gtp-control 
gtp-control 
elatelink 
elatelink 
lockstep 
lockstep 
pktcable-cops 
pktcable-cops 
index-pc-wb 
index-pc-wb 
net-steward 
net-steward 


2093/ 
2094/ 
2094/ 
2095/ 
2095/ 
2096/ 
2096/ 
2097/ 
2097/ 
2098/ 
2098/ 
2099/ 
2099/ 
2100/ 
2100/ 
2101/ 
2101/ 
2102/ 
2102/ 
2103/ 
2103/ 
2104/ 
2104/ 
2105/ 
2105/ 
2106/ 
2106/ 
2107/ 
2107/ 
2108/ 
2108/ 
2109/ 
2109/ 
2110/ 
2110/ 
2111/ 
2111/ 
2112/ 
2112/ 
2113/ 
2113/ 
2114/ 
2114/ 
2115/ 
2115/ 
2116/ 
2116/ 
2117/ 
2117/ 
2118/ 
2118/ 
2119/ 
2119/ 
2120/ 
2120/ 
2121/ 
2121/ 
2122/ 
2122/ 
2123/ 
2123/ 
2124/ 
2124/ 
2125/ 
2125/ 
2126/ 
2126/ 
2127/ 
2127/ 
2128/ 
2128/ 


udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
cp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
top 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
cp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
op 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 











NBX CC 

NBX AU 

NBX AU 

NBX SER 

NBX SER 

NBX DIR 

NBX DIR 

Jet Form Preview 
Jet Form Preview 
Dialog Port 
Dialog Port 
H.225.0 Annex G 
H.225.0 Annex G 
amiganetfs 
amiganetfs 
rtcm-sc104 
rtcm-scl104 
Zephyr server 
Zephyr server 
Zephyr serv-hm 
Zephyr serv-hm 
Zephyr hostman 
Zephyr hostman 
MiniPay 
MiniPay 
MZAP 
MZAP 
BinTec 
BinTec 
Comcam 
Comcam 
Ergolight 
Ergolight 

UMSP 

UMSP 

DSATP 

DSATP 

Idonix MetaNet 
Idonix MetaNet 
HSL StoRM 

HSL StoRM 
EWHEIGHTS 
EWHEIGHTS 

KDM 

KDM 

CCOWCMR 

CCOWCMR 
ENTACLIENT 
ENTACLIENT 
ENTASERVER 
ENTASERVER 
GSIGATEKEEPER 
GSIGATEKEEPER 
Quick Eagle CP 
Quick Eagle CP 
SCIENTIA-SSDB 
SCIENTIA-SSDB 
CauPC Remote Ctl 
CauPC Remote Ctl 
GTP-Control SGPP 
GTP-Control 3GPP 
ELATELINK 
ELATELINK 
LOCKSTEP 
LOCKSTEP 
PktCable-COPS 
PktCable-COPS 
INDEX-PC-WB 
INDEX-PC-WB 

Net Steward Ctl 
Net Steward Ctl 


Admin 
Admin 








telaconsole 
base 

base 
radec-—corp 
radec-corp 
park-agent 
park-agnet 
# 

dttl 

dttl 

# 
apc-tcp-udp 
apc-tcp-udp 
apc-tcp-udp-— 
apc-tcp-udp 
apc-tcp-udp 
apc-tcp-udp 
# 
silkmeter 
silkmeter 
ttl-publisher 
ttl-publisher 
# 
netops—broker 
netops—broker 
# 
fcp-addr-srvrl 
fcp-addr-srvrl 
fcop-addr-srvr2 
fcop-addr-srvr2 
fop-srvr-instl 
fcop-srvr-instl 
fcop-srvr-inst2 
fop-srvr-inst2 
fop-cics-gwl 
fcp-cics-gwl 

ci 

sgi-esphttp 
sgi-esphttp 
personal-agent 
personal-agent 
# 

esinstall 
esinstall 
esmmanager 
esmmanager 
esmagent 
esmagent 
al-msc 

al-msc 

al-bs 

al-bs 
a3-sdunode 
a3-sdunode 
a4-sdunode 
a4-sdunode 

# 
pcanywheredata 
pcanywheredata 
pcanywherestat 
pcanywherestat 
# 

rrac 

rrac 

dccm 

dccm 

# 
proshareaudio 
proshareaudio 
prosharevideo 
prosharevideo 











5428/ud 
5429/tc 
5429/ud 
5430/tc 
5430/ud 
5431/te 
5431/ud 
5432-54 
5435/te 
5435/ud 
5436-54 
5454/tc 
5454/ud 
5455/te 
5455/ud 
5456/tc 
5456/ud 
5457-54 
5461/tc 
5461/ud 
5462/tc 
5462/ud 
5463-54 
5465/te 
5465/ud 
5466-54 
5500/tc 
5500/ud 
S50lyte 
5501/ud 
5502/tc 
5502/ud 
5503/tc 
5503/ud 
5504/tc 
5504/ud 
5504-55 
5554/tec 
5554/ud 
5555/te 
5555/ud 
5556-55 
5599/te 
5599/ud 
5600/tc 
5600/ud 
5601/tc 
5601/ud 
5602/tc 
5602/ud 
5603/tc 
5603/ud 
5604/tc 
5604/ud 
5605/tc 
5605/ud 
5606-56 
5631/tc 
5631/ud 
5632/tc 
5632/ud 
5633-56 
5678/tc 
5678/ud 
5679/tc 
5679/ud 
5780-57 
S713/te 
5713/ud 
5714/tc 
5714/ud 
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Port list 
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TELACONSOLE 
Billing and Acc 
Billing and Acc 
RADEC CORP 
RADEC CORP 

PARK AGENT 

PARK AGENT 
Unassigned 
Data (DTTL) 
Data (DTTL) 
Unassigned 
apc-tcp-ud 
apc-tcp-ud 
apc-tcp-ud 
apc-tcp-ud 
apc-tcp-ud 
apc-tcp-ud 
Unassigned 
SILKMETER 
SILKMETER 
TTL Publisher 
TTL Publisher 
Unassigned 
NETOPS-—BROKER 
NETOPS-—BROKER 
Unassigned 
fcp-addr-srvrl 
fcp-addr-srvrl 
fcop-addr-srvr2 
fcop-addr-srvr2 
fop-srvr-instl 
fop-srvr-instl 
fop-srvr-inst2 
fop-srvr-inst2 
fcp-cics-gwl 
fcp-cics-gwl 
Unassigned 

SGI ESP HTTP 

SGI ESP HTTP 
Personal Agent 
Personal Agent 
Unassigned 
Enterprise 
Enterprise 
Enterprise 
Enterprise 
Enterprise 
Enterprise 
A1-MSC 

A1-MSC 

Al1-BS 

A1-BS 

A3-SDUNode 
A3-SDUNode 
A4-—SDUNode 
A4-SDUNode 
Unassigned 
PCANYWHEREdata 
pPCANYWHEREdata 
pCANYWHEREstat 
OCANYWHEREstat 
Unassigned 
Remote RAC 
Remote RAC 
Direct Cable Mgr 
Direct Cable Mgr 
Unassigned 
proshare audio 
proshare audio 
proshare video 
proshare video 




















859 


cs-live 
cs-live 
swc-xds 
swc-xds 
avantageb2b 
avantageb2b 
avail-epmap 
avail-epmap 
zymed-zpp 
zymed-zpp 
avenue 
avenue 

gris 

gris 
appworxsrv 
appworxsrv 
connect 
connect 
unbind-cluster 
unbind-cluster 
ias-auth 
ias-auth 
ias-reg 
ias-reg 
ias-admind 
ias-admind 
tdm-over-ip 
tdm-over-ip 
lv-jec 

lv-jec 
lv-ffx 
lv-ffx 
lv-pici 
Iv=piei 
lv-not 
lv-not 
ilv-auth 
ilv-auth 
veritas-ucl 
veritas-ucl 
acptsys 
acptsys 
dynamic3d 
dynamic3d 
docent 
docent 
gtp-user 
gtp-user 

# 
x-bone-api 
x-bone-api 
iwserver 
iwserver 

# 

mc-—gt-srv 
mc-gt-srv 
eforward 
eforward 
phony 

ici 

ats 

ats 
imtc-map 
imtc-map 
kali 

kali 
ganymede 
ganymede 
rockwell-cspl 
rockwell-cspl 
rockwell-csp2 


2129/ 
2129/ 
2130/ 
2130/ 
2131/ 
2131/ 
2132/ 
2132/ 
2133/ 
2133/ 
2134/ 
2134/ 
2135/ 
2135/ 
2136/ 
2136/ 
2137/ 
2137/ 
2138/ 
2138/ 
2139/ 
2139/ 
2140/ 
2140/ 
2141/ 
2141/ 
2142/ 
2142/ 
2143/ 
2143/ 
2144/ 
2144/ 
2145/ 
2145/ 
2146/ 
2146/ 
2147/ 
2147/ 
2148/ 
2148/ 
2149/ 
2149/ 
2150/ 
2150/ 
2151/ 
2151/ 
2152/ 
2152/ 
2153= 
2165/ 
2165/ 
2166/ 
2166/ 
2167- 
2180/ 
2180/ 
2181/ 
2181/ 
2200/ 
2200/ 
2201/ 
2201/ 
2202/ 
2202/ 
2213/ 
2213/ 
2220/ 
2220/ 
2221/ 
2221/ 
2222/ 





ep 
udp 
top 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
top 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
top 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
2164 
tcp 
udp 
tcp 
udp 
2179 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
ep 














cs-live. 
es-live. 
SWC-XDS 
SWC-XDS 
Avantageb2b 
Avantageb2b 
AVAIL-EPMAP 
AVAIL-EPMAP 
ZYMED-ZPP 
ZYMED-ZPP 
AVENUE 

AVENUE 

Grid Resource 
Grid Resource 
APPWORXSRV 
APPWORXSRV 
CONNECT 
CONNECT 
UNBIND-CLUSTER 
UNBIND-CLUSTER 
IAS-AUTH 
IAS-AUTH 
IAS-REG 
IAS-REG 
IAS-ADMIND 
IAS-ADMIND 
TDM-OVER-IP 
TDM-OVER-IP 
Live Vault 
Live Vaul 
Live Vaul 
Live Vaul 
Live Vaul 
Live Vaul 
Live Vaul 
Live Vaul 
Live Vaul 
Live Vaul 
VERITAS 
VERITAS 
ACPTSYS 
ACPTSYS 
DYNAMIC3D 
DYNAMIC3D 
DOCENT 
DOCENT 
GTP-User (3GPP) 
GTP-User (3GPP) 
Unassigned 
X-Bone API 
X-Bone API 
IWSERVER 
IWSERVER 
Unassigned 
MVGS 

MVGS 

eforward 
eforward 

ICI 
ICI 
ATSP 
ATSP 
Ent «. 
Int. 
Kali 
Kali 
Ganymede 
Ganymede 
Rockwell 
Rockwell 
Rockwell 


com 
com 
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Multimedia 
Multimedia 


CSP1 
CSPL 
CSP2 





prosharedata 
prosharedata 


prosharerequest 
prosharerequest 


prosharenotify 
prosharenotify 
# 

openmail 
openmail 

# 
ida-discoverl 
ida-discoverl 
ida-discover2 
ida-discover2 
# 

fcopy-server 
fcopy-server 
fcopys-server 
fcopys-server 


netagent 
netagent 


icmpd 
icmpd 


wherehoo 
wherehoo 








mppolicy-v5 
mppolicy-v5 
mppolicy-mgr 
mppolicy-mgr 


cvsup 
cvsup 

x11 

x11 
ndl-ahp-svc 
ndl-ahp-svc 
winpharaoh 
winpharaoh 
ewctsp 

ewctsp 

srb 

srb 

gsmp 

gsmp 

trip 

trip 
messageasap 
messageasap 
ssdtp 

ssdtp 
diagnose-proc 
diagmose-proc 
directplay8 
directplay8 

# 
synchronet-—db 
synchronet-—db 
synchronet-rtc 
synchronet-rtc 
synchronet-—upd 
synchronet-—upd 
rets 

rets 

dbdb 

dbdb 
primaserver 
primaserver 


5715/te 
5715/ud 
5716/tc 
5716/ud 
BILE 
5717/ud 
5718-57 
5729/tc 
5729/ud 
5730-57 
5741/te 
5741/ud 
5742/tc 
5742/ud 
5743-57 
5745/tc 
5745/ud 
5746/tc 
5746/ud 
5769-57 
5771/te 
5771/ud 
5772-58 
5813/tc 
5813/ud 
5814-58 
5859/tec 
5859/ud 
5860-59 
5968/tc 
5968/ud 
5969/tc 
5969/ud 
5970-59 
5999/tc 
5999/ud 
6000-60 
6000-60 
6064/tc 
6064/ud 
6065/tc 
6065/ud 
6066/tc 
6066/ud 
6067/tc 
6067/ud 
6068/tc 
6068/ud 
6069/tc 
6069/ud 
6070/tc 
6070/ud 
6071/tc 
6071/ud 
6072/tc 
6072/ud 
S073 / he 
6073/ud 
6074-60 
6100/tc 
6100/ud 
6101/tc 
6101/ud 
6102/tc 
6102/ud 
6103/tc 
6103/ud 
6104/tc 
6104/ud 
6105/tc 
6105/ud 








TT OTTUTUT ATT UNTTRFPTT HAD VTTDTD STD TTT FT TNOTT TUT 'T'U 


p 





OO OO. VO "OO." Oe OOO. TO ONO OO. O° 1O (Or 20. "OO: TO "Os (OOO. FOO. Oe "OU. 


63/tcp 
63/udp 


Port list 
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data 
data 


proshare 
proshare 
proshare 
proshare 
proshare 
proshare 
Unassigned 
Openmail 
Openmail 
Unassigned 
IDA Disc Port 
IDA Disc Port 
IDA Disc Port 
IDA Disc Port 
Unassigned 
fcopy-server 
fcopy-server 
fcopys-server 
fcopys-server 
Unassigned 
NetAgent 
NetAgent 
Unassigned 
ICMPD 
ICMPD 
nassigned 
HEREHOO 
HEREHOO 
nassigned 
ppolicy-v5 
ppolicy-v5 
ppolicy-mgr 
ppolicy-mgr 
nassigned 
VSup 

VSup 





as ¢ 











BBBBSs 


aqaaa 


X Window 
X Window 
NDL-AHP-SVC 
NDL-AHP-SVC 
WinPharaoh 
WinPharaoh 
EWCTSP 

EWCTSP 

SRB 

SRB 

GSMP 

GSMP 

TRIP 

TRIP 
Messageasap 
Messageasap 
SSDTP 
SSDTP 
DIAGNOSE-PROC 
DIAGNOSE-PROC 
DirectPlay8 
DirectPlay8 
Unassigned 
SynchroNet-—db 
SynchroNet-—db 





request 
request 
notify 
notify 


bd hoe 


Sync 
Sync 
Sync 
Sync 
RETS 
RETS 
DBDB 
DBDB 


hroNet-rtc 
hroNet-rtc 
hroNet-upd 
hroNet-upd 





Prima Server 
Prima Server 
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rockwell-csp2 
rockwell-csp3 
rockwell-csp3 
ivs-video 
ivs-video 
infocrypt 
infocrypt 
directplay 
directplay 
sercomm-wlink 
sercomm-wlink 
nani 

nani 


optech-portl-lm 
optech-portl-lm 


aviva-sna 
aviva-sna 
imagequery 
imagequery 
recipe 

recipe 

ivsd 

ivsd 

foliocorp 
foliocorp 
magicom 
magicom 
nmsserver 
nmsserver 

hao 

hao 

# 

xmquery 
xmquery 
invpoller 
invpoller 
invconsole 
invconsole 
invalarm 
invalarm 
invstatus 
invstatus 
invmaps 
invmaps 
invmailmon 
invmailmon 
nas-metering 
nas-metering 
dna 

dna 

netml 

netml 

# 

konshus-1m 
konshus-1m 
advant-—l1m 
advant-—1m 
theta-lm 
theta-lm 
d2k-datamoverl 
d2k-datamoverl 
d2k-datamover2 
d2k-datamover2 
pce-telecommute 
pc-telecommute 
cvmmon 

cvmmon 
cpq-wbem 
cpq-wbhem 
binderysupport 
binderysupport 


2222/udp 
2223/tcp 
2223/udp 
2232/tep 
2232/udp 
2233/tcp 
2233/udp 
2234/tep 
2234/udp 
2235/tcp 
2235/udp 
2236/tcp 
2236/udp 
2237/tcp 
2237/udp 
2238/tcp 
2238/udp 
2239/tcp 
2239/udp 
2240/tcp 
2240/udp 
2241/tcp 
2241/udp 
2242/tcp 
2242/udp 
2243/tcp 
2243/udp 
2244/tcp 
2244/udp 
2245/tep 
2245/udp 
2245-2278 
2279/tcp 
2279/udp 
2280/tcp 
2280/udp 
2281/tcp 
2281/udp 
2282/tcp 
2282/udp 
2283/tcp 
2283/udp 
2284/tcp 
2284/udp 
2285/tcp 
2285/udp 
2286/tcp 
2286/udp 
2287/tcp 
2287/udp 
2288/tcp 
2288/udp 
2289-2293 
2294/tcp 
2294/udp 
2295/tcp 
2295/udp 
2296/tcp 
2296/udp 
2297/tep 
2297/udp 
2298/tcp 
2298/udp 
2299/tcp 
2299/udp 
2300/tcp 
2300/udp 
2301/tcp 
2301/udp 
2302/tep 
2302/udp 














Rockwell CSP2 
Rockwell CSP3 
Rockwell CSP3 
IVS Video 

IVS Video 
INFOCRYPT 
INFOCRYPT 
DirectPlay 
DirectPlay 
Sercomm—-WLink 
Sercomm-WLink 
Nani 

Nani 

Optech Portl 
Optech Portl 
AVIVA SNA SERVER 
AVIVA SNA SERVER 
Image Query 
Image Query 
RECIPe 

RECIPe 

IVS Daemon 

IVS Daemon 
Folio Remote 
Folio Remote 
agicom Protocol 
agicom Protocol 
MS Server 

MS Server 

HaO 

HaO 

Unassigned 
xmquery 
xmquery 
LNVPOLLER 
LNVPOLLER 
LNVCONSOLE 
LNVCONSOLE 
LNVALARM 
LNVALARM 
LNVSTATUS 
LNVSTATUS 
LNVMAPS 

LNVMAPS 
LNVMAILMON 
LNVMAILMON 
AS-Metering 
AS-Metering 
DNA 

DNA 

ETML 

ETML 
Unassigned 
Konshus (FLEX) 
Konshus (FLEX) 
Advant 

Advant 

Theta (Rainbow) 
Theta (Rainbow) 
D2K DataMover 1 
D2K DataMover 1 
D2K DataMover 2 
D2K DataMover 2 
PC Telecommute 
PC Telecommute 
CVMMON 

CVMMON 

Compaq HTTP 
Compaq HTTP 
Bindery Support 
Bindery Support 














mpsserver 
mpsserver 
etc-control 
etc-control 
sercomm-scadmin 
sercomm-scadmin 
globecast-id 
globecast-id 
softcm 

softcm 

spc 

spc 

dtspcd 

dtspcd 

# 
backup-express 
backup-express 
# 

meta-corp 
meta-corp 
aspentec-lm 
aspentec-lm 
watershed-lm 
watershed-lm 
statscil-lm 
statscil-l 
statsci2-1 
statsciz=1 
lonewolf-1l 
lonewolf-1 
montage-lm 
montage-lm 
ricardo-lm 
ricardo-lm 
tal-pod 
tal-pod 

= 

crip 

crip 

# 

emp-serverl 
emp-serverl 
emp-server2 
emp-server2 

# 
clariion-evr0l 
clariion-evr0l 
# 

info-aps 
info-was 
info-eventsvr 
info-cachesvr 
info-filesvr 
info-pagesvr 
info-processvr 
reservedl 
reserved2 
reserved3 
reserved4 

# 
skip-cert-recv 
skip-cert-send 
# 

lvision-lm 
lvision-lm 

# 

boks 

boks 
boks_servc 
boks_servec 
boks_servm 





353338 


06/tc 
06/ud 
O07/te 
07/ud 
08/tc 
08/ud 
09/tc 
09/ud 
10/tc 
10/ud 
11/tc 
11/ud 
12/tc 
12/ud 
13-61 
23/tc 
23/ud 
24-61 
41l/tec 
41/ud 
42/tc 
42/ud 
43/tc 
43/ud 
44/tc 
44/ud 
45/tc 
45/ud 
46/tc 
46/ud 
47/tc 
47/ud 
48/tc 
48/ud 
49/tc 
49/ud 
6150-62 
6253/tc 
6253/ud 
6254-63 
6321/tc 
6321/ud 
6322/tc 
6322/ud 
6323-63 
6389/tc 
6389/ud 
6390-63 
6400 

6401 

6402 

6403 

6404 

6405 

6406 

6407 

6408 

6409 

6410 

6411-64 
6455/tc 
6456/tc 
6457-64 
6471/tc 
6471/ud 
6472-64 
6500/tc 
6500/ud 
6501/tc 
6501/ud 
6502/tc 
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MPS Server 

MPS Server 

ETC Control 

ETC Control 
Sercomm-SCAdmin 
Sercomm-SCAdmin 
GLOBECAST-ID 
GLOBECAST-ID 
HP SoftBench 
HP SoftBench 
HP SoftBench 
HP SoftBench 
dtspcd 
dtspcd 
Unassigned 
Backup Express 
Backup Express 
Unassigned 

Meta Corporation 
Meta Corporation 
Aspen Technology 
Aspen Technology 
Watershed 
Watershed 
StatSei = 
StatSei = 
StatSei = 
StatsSei. = 
Lone Wolf 
Lone Wolf 
Montage 
Montage 
Ricardo America 
Ricardo America 
tal-pod 

tal-pod 
Unassigned 

CRIP 

CRIP 

Unassigned 
Empress Software 
Empress Software 
Empress Software 
Empress Software 
Unassigned 
clariion-evr0l 
clariion-evr0l 
Unassigned 


CM 
CM 











hho 





Unassigned 

SKIP Certificate 
SKIP Certificate 
Unassigned 
LVision 

LVision 
Unassigned 

BoKS Master 

BoKS Master 

BoKS Serve 

BoKS Servc 

BoKS Servm 
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proxy-gateway 
proxy-gateway 
attachmate-uts 
attachmate-uts 
mt-—scaleserver 
mt-—scaleserver 
tappi-boxnet 
tappi-boxnet 
pehelp 

pehelp 

sdhelp 

sdhelp 
sdserver 
sdserver 
sdclient 
sdclient 
messageservice 
messageservice 
iapp 

iapp 
cr-websystems 
cr-websystems 
precise-sft 
precise-sft 
sent-—lm 
sent-—lm 
attachmate-g32 
attachmate-g32 
cadencecontrol 
cadencecontrol 
infolibria 
infolibria 
siebel-ns 
siebel-ns 
rdlap 

rdlap 

ofsd 

ofsd 

3d-nfsd 
3d-nfsd 
cosmocall 
cosmocall 
designspace-1m 
designspace-1m 
idcp 

idcp 

xingcsm 
xingcsm 
netrix-sftm 
netrix-sftm 
nvd 

nvd 

tscchat 
tscchat 
agentview 
agentview 
rcec-host 
rcec-host 

snapp 

snapp 
ace-client 
ace-client 
ace-proxy 
ace-proxy 
appleugcontrol 
appleugcontrol 
ideesrv 
ideesrv 
norton-lambert 
norton-lambert 
3com-webview 


2303/ 
2303/ 
2304/ 
2304/ 
2305/ 
2305/ 
2306/ 
2306/ 
2307/ 
2307/ 
2308/ 
2308/ 
2309/ 
2309/ 
2310/ 
2310/ 
23417 
2311/ 
2313/ 
2313/ 
2314/ 
2314/ 
2315/ 
2315/ 
2316/ 
2316/ 
2317/ 
2317/ 
2318/ 
2318/ 
2319/ 
2319/ 
2320/ 
2320/ 
2321/ 
2321/ 
2322/ 
2322/ 
2323/ 
2323/ 
2324/ 
2324/ 
2325/ 
2325/ 
2326/ 
2326/ 
2327/ 
2327/ 
2328/ 
2328/ 
2329/ 
2329/ 
2330/ 
2330/ 
2331/ 
2331/ 
2332/ 
2332/ 
2333/ 
2333/ 
2334/ 
2334/ 
2335/ 
2335/ 
2336/ 
2336/ 
2337/ 
2337/ 
2338/ 
2338/ 
2339/ 


tep 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
cp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
top 
udp 
tcp 











Proxy Gateway 
Proxy Gateway 
Attachmate UTS 
Attachmate UTS 
MT ScaleServer 
MT ScaleServer 
TAPPI BoxNet 
TAPPI BoxNet 
pehelp 

pehelp 

sdhelp 

sdhelp 

SD Server 

SD Server 

SD Client 

SD Client 
Message Service 
Message Service 
IAPP 

IAPP 

CR WebSystems 
CR WebSystems 
Precise Sft. 
Precise Sft. 
SENT 

SENT 

Attachmate G32 
Attachmate G32 
Cadence Control 
Cadence Control 
InfoLibria 
InfoLibria 
Siebel NS 
Siebel NS 

RDLAP over UDP 
RDLAP 

ofsd 

ofsd 

3d-nfsd 

3d-nfsd 
Cosmocall 
Cosmocall 
Design Space 
Design Space 
IDCP 

IDCP 

xingcsm 
xingcsm 

Netrix SFTM 
Netrix SFTM 

NVD 

NVD 

TSCCHAT 

TSCCHAT 
AGENTVIEW 
AGENTVIEW 

RCC Host 

RCC Host 

SNAPP 

SNAPP 

ACE Client Auth 
ACE Client Auth 
ACE Proxy 

ACE Proxy 

Apple UG Control 
Apple UG Control 
ideesrv 

ideesrv 

Norton Lambert 
Norton Lambert 
3Com WebView 








boks_servm 
boks_clilntd 
boks_clilntd 

# 

badm_priv 
badm_priv 
badm_pub 
badm_pub 
bdir_priv 
bdir_priv 
bdir_pub 
bdir_pub 

# 
apc-tcp-udp-1 
apc-tcp-udp-1 
apc-tcp-udp-2 
apc-tcp-udp-2 
apc-tcp-udp-3 
apc-tcp-udp-3 
fg-sysupdate 
fg-sysupdate 
# 


xdsxdm 

xdsxdm 

ircu 

ircu 
vocaltec-gold 
vocaltec-gold 
vision_server 
vision_server 
vision_elmd 
vision_elmd 
kti-icad-srvr 
kti-icad-srvr 
# 
bmc-perf-agent 
bmc-perf-agent 
bmc-perf-mgrd 
bmc-perf-mgrd 
# 

hnmp 

hnmp 

ambit-lm 
ambit-lm 
netmo-default 
netmo-default 
netmo-http 
netmo-http 

# 

iccrushmore 
iccrushmore 

# 

muse 

muse 

# 

jmact3 

jmact3 

jmevt2 

jmevt2 
swismgrl 
swismgrl 
swismgr2 
swismgr2 
swistrap 
swistrap 
swispol 
swispol 
acmsoda 
acmsoda 
iatp-highpri 
iatp-highpri 


6502/ud 
6503/tc 
6503/ud 
6504 
6505/tc 
6505/ud 
6506/tc 
6506/ud 
6507/tc 
6507/ud 
6508/tc 
6508/ud 
6509-65 
6547/tc 
6547/ud 
6548/tc 
6548/ud 
6549/tc 
6549/ud 
6550/tc 
6550/ud 
6551-65 
6558/tc 
6558/ud 
6665-66 
6665-66 
6670/tc 
6670/ud 
6672/tc 
6672/ud 
6673/tc 
6673/ud 
6701/tc 
6701/ud 
6702-67 
6767/tc 
6767/ud 
6768/tc 
6768/ud 
6769-67 
6790/tc 
6790/ud 
6831/tc 
6831/ud 
6841/tc 
6841/ud 
6842/tc 
6842/ud 
6843-68 
6850/tc 
6850/ud 
6851-68 
6888/tc 
6888/ud 
6889-69 
6961/tc 
6961/ud 
6962/tc 
6962/ud 
6963/tc 
6963/ud 
6964/tc 
6964/ud 
6965/tc 
6965/ud 
6966/tc 
6966/ud 
6969/tc 
6969/ud 
6998/tc 
6998/ud 
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69/tcp 
69/udp 


Port list 
APPENDIX |D 


S Servm 
S Clntd 
S Clntd 
Unassigned 
BoKS Admin 
Admin 
Admin 


S 
Ss 
S Admin 
5 
s 
=) 





BoKS 
Unassigned 
apc-tcp-udp-1 
apc-tcp-udp-1 
apc-tcp-udp-2 
apc-tcp-udp-2 
apc-tcp-udp-3 
apc-tcp-udp-3 
fg-sysupdate 

fg-sysupdate 

Unassigned 





IRCU 
IRCU 
Vocaltec 
Vocaltec 
vision_server 
vision_server 
vision_elmd 
vision_elmd 
KTI/ICAD NS 
KTI/ICAD NS 
Unassigned 
BMC PERFORM 
BMC PERFORM 
BMC PERFORM 
BMC PERFORM 
Unassigned 
HNMP 

HNMP 

ambit-lm 
ambit-lm 
Netmo Default 
Netmo Default 
Netmo HTTP 
Netmo HTTP 
Unassigned 
ICCRUSHMORE 
ICCRUSHMORE 
Unassigned 
MUSE 

MUSE 
Unassigned 
JMACT3 

JMACT3 

jmevt2 

jmevt2 
swismgrl 
swismgrl 
swismgr2 
swismgr2 
swistrap 
swistrap 
swispol 
swispol 
acmsoda 
acmsoda 
IATP-highPri 
IATP-highPri 





Dir Server 
Dir Server 
Dir Server 
Dir Server 


Global 
Global 


862 


3com-webview 
wrs_registry 
wrs_registry 
xiostatus 
xiostatus 
manage-exec 
manage-exec 
nati-logos 
nati-logos 
fcmsys 

fcmsys 

dbm 

dbm 
redstorm_join 
redstorm_join 
redstorm_find 
redstorm_find 
redstorm_info 
redstorm_info 
redstorm_diag 
redstorm_diag 
psbserver 
psbserver 
psrserver 
psrserver 
pslserver 
pslserver 
pspserver 
pspserver 
psprserver 
psprserver 
psdbserver 
psdbserver 
gxtelmd 
gxtelmd 
unihub-server 
unihub-server 
futrix 

futrix 
flukeserver 
flukeserver 
nexstorindltd 
nexstorindltd 
pc Ot 

til 

digiman 
digiman 
mediacntrinfsd 
mediacntrinfsd 
01-2000 
01-2000 

dbref 

dbref 
qip-login 
qip-login 
service-ctrl 
service-ctrl 
opentable 
opentable 
acs2000-dsp 
acs2000-dsp 
13-hbmon 
13-hbmon 

# 
compaq-https 
compaq-https 
ms-olap3 
ms-olap3 
ms-olap4 
ms-olap4 
sd-request 


2339/udp 
2340/tcp 
2340/udp 
2341/tcp 
2341/udp 
2342/tcp 
2342/udp 
2343/tcp 
2343/udp 
2344/tep 
2344/udp 
2345/tcp 
2345/udp 
2346/tcp 
2346/udp 
2347/tcp 
2347/udp 
2348/tcp 
2348/udp 
2349/tcp 
2349/udp 
2350/tcp 
2350/udp 
2351/tep 
2351/udp 
2352/tcp 
2352/udp 
2353/tcp 
2353/udp 
2354/tcp 
2354/udp 
2355/tcp 
2355/udp 
2356/tcp 
2356/udp 
2357/tcp 
2357/udp 
2358/tcp 
2358/udp 
2359/tcp 
2359/udp 
2360/tcp 
2360/udp 
2361/tcp 
2361/udp 
2362/tcp 
2362/udp 
2363/tcp 
2363/udp 
2364/tcp 
2364/udp 
2365/tcp 
2365/udp 
2366/tcp 
2366/udp 
2367/tcp 
2367/udp 
2368/tcp 
2368/udp 
2369/tcp 
2369/udp 
2370/tcp 
2370/udp 
2371-2380 
2381/tcp 
2381/udp 
2382/tcp 
2382/udp 
2383/tcp 
2383/udp 
2384/tcp 














3Com WebView 
WRS Registry 
WRS Registry 
XIO Status 

XIO Status 
Seagate Manage 
Seagate Manage 
nati logos 
nati logos 
fcmsys 

fcmsys 

dbm 
dbm 
Game 
Game 
Game 
Game 
Game status 
Game status 
Diagnostics 
Disgnostics 
psbserver 
psbserver 
psrserver 
psrserver 
pslserver 
pslserver 
pspserver 
pspserver 
psprserver 
psprserver 
psdbserver 
psdbserver 
GXT License Man 
GXT License Man 
UniHub Server 
UniHub Server 
Futrix 

Futrix 
FlukeServer 
FlukeServer 
NexstorIndLtd 
NexstorIndLtd 
TL1 

TL1 

digiman 

digiman 

Media Cent NFSD 
Media Cent NFSD 
OI-2000 

OI-2000 

dbref 

dbref 

qip-login 
qip-login 
Service Control 
Service Control 
OpenTable 
OpenTable 
ACS2000 DSP 
ACS2000 DSP 
L3-HBMon 
L3-HBMon 
Unassigned 
Compaq HTTPS 
Compaq HTTPS 
Microsoft OLAP 
Microsoft OLAP 
Microsoft OLAP 
Microsoft OLAP 
SD-REQUEST 


Connection 
Connection 


Port 
Port 





iatp-normalpri 
iatp-normalpri 
afs3-fileserver 
afs3-fileserver 
afs3-callback 
afs3-callback 
afs3-prserver 
afs3-prserver 
afs3-vlserver 
afs3-vlserver 
afs3-kaserver 
afs3-kaserver 
afs3-volser 
afs3-volser 
afs3-errors 
afs3-errors 
afs3-bos 
afs3-bos 
afs3-update 
afs3-update 
afs3-rmtsys 
afs3-rmtsys 
ups-onlinet 
ups-onlinet 
talon-disc 
talon-disc 
talon-engine 
talon-engine 
microtalon-dis 
microtalon-dis 
microtalon-com 
microtalon-com 
talon-webserver 
talon-webserver 


pserve 
pserve 

pserveadmin 
pserveadmin 


+ Tk & Pe & Pa 


arcp 
arcp 


lazy-ptop 
lazy-ptop 
font-service 
font-service 


virprot-lm 
virprot-lm 


clutild 
clutild 





fodms 
fodms 
dlip 
dlip 
Swx 


wingedit 
wingedit 








pmdmgr 

pmdmgr 

oveadmgr 
oveadmgr 
ovladmgr 
ovladmgr 
opi-sock 
opi-sock 


6999/tc 
6999/ud 
7000/tc 
7000/ud 
7001/te 
7001/ud 
7002/tc 
7002/ud 
7003/te 
7003/ud 
7004/tc 
7004/ud 
7005/te 
7005/ud 
7006/tc 
7006/ud 
7007/tc 
7007/ud 
7008/tc 
7008/ud 
7009/tc 
7009/ud 
7010/tc 
7010/ud 
7011/te 
7011/ud 
7012/tc 
7012/ud 
7013/te 
7013/ud 
7014/te 
7014/ud 
7015/te 
7015/ud 
7016-70 
7020/tc 
7020/ud 
tO21/te 
7021/ud 
7022-70 
7070/tc 
7070/ud 
7071-70 
7099/tc 
7099/ud 
7100/tce 
00/ud 
01-71 
21/tc 
21/ud 
22-71 
7T4/te 
74/ud 
WLS H71 
7200/tc 
7200/ud 
7201/te 
7201/ud 
7300-73 
7391-13 
7395/te 
7395/ud 
7396-74 
7426/tc 
7426/ud 
TA27 (te 
7427/ud 
7428/te 
7428/ud 
7429/te 
7429/ud 
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Port list 
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IATP-normalPri 
TATP-normalPri 
file server 

file server 
callbacks 
callbacks 

users & groups 
users & groups 
volume location 
volume location 
AFS/Kerberos 
AFS/Kerberos 
volume managment 
volume managment 
error service 
error service 
basic overseer 
basic overseer 
server-to-server 
server-to-server 
remote cache 
remote cache 
onlinet 

onlinet 

Talon Discovery 
Talon Discovery 
Talon Engine 
Talon Engine 
Microtalon 
Microtalon 
Microtalon 
Microtalon 

Talon Webserver 
Talon Webserver 
Unassigned 

DP Serve 

DP Serve 

DP Serve Admin 
DP Serve Admin 
Unassigned 

ARCP 

ARCP 

Unassigned 
lazy-ptop 
lazy-ptop 

X Font Service 

X Font Service 
Unassigned 
Virtual Proto 
Virtual Proto 
Unassigned 
Clutild 

Clutild 
Unassigned 

FODMS FLIP 

FODMS FLIP 

DLIP 

DLIP 

The Swiss Exch 
Unassigned 
wingedit 
wingedit 
Unassigned 
OpenView DM 
OpenView DM 
OpenView DM 
OpenView DM 
OpenView DM 
OpenView DM 
OpenView DM 
OpenView DM 











Post 
Post 
Even 
Even 
Log 
Log 
rqt 
rqt 


863 


sd-request 

# 

ovsessionmgr 
ovsessionmgr 
rsmtp 

rsmtp 
3com-net-mgmt 
3com-net-mgmt 
tacticalauth 
tacticalauth 
ms-olapl 
ms-olapl 
ms-olap2 
ms-olap2 
lan900_remote 
lan900_remote 
wusage 

wusage 

nel 

nel 

orbiter 
orbiter 
fmpro-fdal 
fmpro-fdal 
opequus-server 
opequus-—server 
cvspserver 
cvspserver 
taskmaster2000 
taskmaster2000 
taskmaster2000 
taskmaster2000 
itec870-5-104 
iec870-5-104 
trc-netpoll 
trc-netpoll 
jediserver 
jediserver 
orion 

orion 
optimanet 
optimanet 
sns-protocol 
sns-protocol 
vrts-registry 
vrts-registry 
netwave-ap-mgmt 
netwave-ap-mgmt 
cdn 

cdn 
orion-rmi-reg 
orion-rmi-reg 
interlingua 
interlingua 
comtest 
comtest 
rmtserver 
rmtserver 
composit-server 
composit-server 
cas 

cas 
attachmate-s2s 
attachmate-s2s 
dslremote-mgmt 
dslremote-mgmt 
g-talk 

g-talk 
crmsbits 
cermsbits 

rnrp 


2384/udp 


2384-2388 


2389/ 
2389/udp 
2390/ 
2390/udp 
2391/ 
2391/udp 
2392/ 
2392/udp 
2393/ 
2393/udp 
2394/ 
2394/udp 
2395/ 
2395/udp 
2396/tcp 
2396/udp 
2397/tcp 
2397/udp 
2398/ 
2398/udp 
2399/ 
2399/udp 


24 


24 
24 
24 
24 
24 
24 
24 
24 
24 
24 
24 
24 





24 


00/ 
00/ 
01/ 
01/ 
02/ 
02/ 
03/ 
03/ 
04/ 
04/ 
05/ 
05/ 
06/ 
06/ 
O07/ 
07/ 
08/ 
08/ 
09/ 
09/ 
10/ 
10/ 
11/ 
11/ 
12/ 
12/ 
13/ 
137: 
14/ 
14/ 
15/ 
15/ 
16/ 
16/ 
17/ 
17/ 
18/ 
18/ 
19/ 
19/ 
20/ 
20/ 
21/ 
2/; 
22/ 
22/ 
23/ 


tcp 


tcp 


tcp 


tcp 


tcp 


tcp 





tcp 


tcp 
tcp 


tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
top 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
Pop 
udp 
tep 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
op 
udp 
EEp 











SD-REQUEST 
Unassigned 
OpenView Ses Mgr 
OpenView Ses Mgr 
RSMTP 

RSMTP 

3COM Net Mgr 
3COM Net Mgr 
Tactical Auth 
Tactical Auth 

MS OLAP 1 

MS OLAP 1 

MS OLAP 2 

MA OLAP 2 

LAN900 Remote 
LAN900 Remote 
Wusage 

Wusage 

NCL 

NCL 

Orbiter 

Orbiter 
FileMaker, Inc. 
FileMaker, Inc. 
OpEquus Server 
OpEquus Server 
cvspserver 
cvspserver 
TaskMaster 2000 
TaskMaster 2000 
TaskMaster 2000 
TaskMaster 2000 
TEC870-5-104 
TEC870-5-104 

TRC Netpoll 

TRC Netpoll 
JediServer 
JediServer 

Orion 

Orion 

OptimaNet 
OptimaNet 

SNS Protocol 

SNS Protocol 
VRTS Registry 
VRTS Registry 
Netwave AP Mgr 
Netwave AP Mgr 
CD 
CD 
orion-rmi-reg 
orion-rmi-reg 
Interlingua 
Interlingua 
COMTEST 

COMTEST 

RMT Server 

RMT Server 
Composit Server 
Composit Server 
cas 

cas 
Attachmate 
Attachmate 
DSL Remote 
DSL Remote 
G-Talk 
G-Talk 
CRMSBITS 
CRMSBITS 
RNRP 





S2S 
S2S 
Mgr 
Mgr 





xmpv7 
xmpv7 

pmd 

pmd 
faximum 
faximum 
telops-—lmd 
telops-—l1md 
pafec-lm 
pafec-lm 
nta-ds 
nta-ds 
nta-us 
nta-us 
vsi-omega 
vsi-omega 


aries-kfinder 
aries-kfinder 


sun-lm 
sun-lm 


pmdfmgt 
pmdfmgt 








cbt 

cbt 

interwise 
interwise 

# 

accu-lmgr 
accu-lmgr 

# 

minivend 
minivend 

# 

t2-drm 

t2-drm 

t2-brm 

t2-brm 
supercell 
supercell 

# 
micromuse-ncps 
micromuse-ncps 
quest-vista 
quest-vista 

# 

irdmi2 

irdmi2 

irdmi 

irdmi 
vcom-tunnel 
vcom-tunnel 
teradataordbms 
teradataordbms 


http-alt 
http-alt 
# 
pro-ed 

pro-ed 

mindprint 
mindprint 
# 
http-alt 
http-alt 





indigo-vrmi 
indigo-vrmi 


7430/tc 
7430/ud 
7431/te 
7431/ud 
7437/tce 
7437/ud 
TA91/te 
7491/ud 
7511 /te)e 
7511/ud 
7544/tc 
7544/ud 
7545/te 
7545/ud 
7566/tc 
7566/ud 
7567-75 
7570/te 
7570/ud 
7571-75 
7588/tc 
7588/ud 
7589-76 
7633/te 
7633/ud 
7634-77 
77177/te 
7777/ud 
TPIS{te 
7778/ud 
EETIST 
7781/te 
7781/ud 
7782-77 
7786/tc 
7786/ud 
7787-79 
7932/te 
7932/ud 
7933/te 
7933/ud 
71967/tc 
7967/ud 
7968-79 
TSI oste 
7979/ud 
7980/tc 
7980/ud 
7981-79 
7999/tc 
7999/ud 
8000/tc 
8000/ud 
8001/tc 
8001/ud 
8002/tc 
8002/ud 
8003-80 
8008/tc 
8008/ud 
8009-80 
8032/tc 
8032/ud 
8033/tc 
8033/ud 
8034-80 
8080/tc 
8080/ud 
8081-81 
8130/tc 
8130/ud 
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DM 
DM 
DM 
DM 


OpenView 
OpenView 
OpenView 
OpenView 
Faximum 
Faximum 
telops-lmd 
telops-lmd 
pafec-—lm 
pafec-—lm 
FlowAnalyzer 
FlowAnalyzer 
FlowAnalyzer 
FlowAnalyzer 
VSI Omega 
VSI Omega 
Unassigned 
Aries Kfinder 
Aries Kfinder 
Unassigned 
Sun License Mgr 
Sun License Mgr 
Unassigned 
PMDF Management 
PMDF Management 
Unassigned 
cbt 

cbt 
Interwise 
Interwise 
Unassigned 
accu-lmgr 
accu-lmgr 
Unassigned 
MINIVEND 
MINIVEND 
Unassigned 

Tier 2 Data 
Tier 2 Data 
Tier 2 Business 
Tier 2 Business 
Supercell 
Supercell 
Unassigned 
Micromuse-ncps 
Micromuse-ncps 
Quest Vista 
Quest Vista 
Unassigned 
iRDMI2 

iRDMI2 

iRDMI 

iRDMI 

VCOM Tunnel 
VCOM Tunnel 
Teradata ORDBMS 
Teradata ORDBMS 
Unassigned 

HTTP Alternate 
HTTP Alternate 
Unassigned 
ProEd 

ProEd 

MindPrint 
MindPrint 
Unassigned 

HTTP Alternate 
HTTP Alternate 
Unassigned 
INDIGO-VRMI 
INDIGO-VRMI 

















864 


rnrp 
kofax-svr 
kofax-svr 
fjitsuappmgr 
fjitsuappmgr 
applianttcp 
appliantudp 
mgcp-gateway 
mgcp-gateway 
ott 

ott 

ft-role 
ft-role 

venus 

venus 
venus-—se 
venus-—se 
codasrv 
codasrv 
codasrv-se 
codasrv-se 
pxc-epmap 
pxc-epmap 
optilogic 
optilogic 
topx 

topx 
unicontrol 
unicontrol 
msp 

msp 
sybasedbsynch 
sybasedbsynch 
spearway 
spearway 
pvsw-inet 
pvsw-inet 
netangel 
netangel 
powerclientcsf 
powerclientcsf 
btpp2Zsectrans 
btpp2Zsectrans 
dtnl 

dtnl 
bues_service 
bues_service 
ovwdb 

ovwdb 
hpppssvr 
hpppssvr 

ratl 

ratl 

netadmin 
netadmin 
netchat 
netchat 
snifferclient 
snifferclient 
madge-om 
madge-om 
indx-dds 
indx-dds 
wago-io-system 
wago-io-system 
altav-remmgt 
altav-remmgt 
rapido-ip 
rapido-ip 
griffin 
griffin 

















56/udp 
57/tcep 
57/udp 
58/tcp 
58/udp 





RNRP 

KOFAX-SVR 
KOFAX-SVR 
Fujitsu App Mgr 
Fujitsu App Mgr 
Appliant TCP 
Appliant UDP 
Media Gateway 
Media Gateway 

1 Way Trip Time 
1 Way Trip Time 
FT-ROLE 

FT-ROLE 

venus 

venus 

venus-—se 
venus-—se 
codasrv 

codasrv 
codasrv-se 
codasrv-se 
pxc-epmap 
pxc-epmap 
OptiLogic 
OptiLogic 

TOP/X 

TOP/X 
UniControl 
UniControl 

MSP 

MSP 
SybaseDBSynch 
SybaseDBSynch 
Spearway Lockers 
Spearway Lockser 
pvsw-inet 
pvsw-inet 
Netangel 
Netangel 
PowerClient 
PowerClient 

BT PP2 Sectrans 
BT PP2 Sectrans 
DTN1 

DTN1 
bues_service 
bues_service 
OpenView NNM 
OpenView NNM 
hpppsvr 


hpppsvr 
RATL 


RATL 

netadmin 
netadmin 
netchat 
netchat 
SnifferClient 
SnifferClient 
madge-om 
madge-om 
IndX-DDS 
IndX-DDS 
WAGO-IO-SYSTEM 
WAGO-IO-SYSTEM 
altav-remmgt 
altav-remmgt 
Rapido_IP 
Rapido_IP 
griffin 
griffin 





indigo-vbcp 
indigo-vbcp 
# 

patrol 
patrol 
patrol-snmp 
patrol-snmp 
# 

trivnetl 
trivnetl 
trivnet2 
trivnet2 


im-perfworks 
im-perfworks 
im-instmgr 
im-instmgr 
im-dta 

im-dta 
im-sserver 
im-sserver 
im-webwatcher 
im-webwatcher 


server-find 
server-find 











cruise-enum 
cruise-enum 
cruise-swroute 
cruise-swroute 
cruise-config 
cruise-config 
cruise-diags 
cruise-diags 
cruise-update 
cruise-update 
# 

cvd 

cvd 

sabarsd 
sabarsd 

abarsd 

abarsd 

admind 

admind 


npmp 
npmp 


vp2p 
vp2p 


rtsp-alt 
rtsp-alt 


ibus 
ibus 








mc—appserver 
mc—appserver 
openqueue 
openqueue 
ultraseek-http 
ultraseek-http 
# 

truecm 

truecm 

# 

cddbp-alt 
cddbp-alt 


8131/tc 
8131/ud 
8132-81 
8160/tc 
8160/ud 
8161/tc 
8161/ud 
8162-81 
8200/tc 
8200/ud 
8201/tc 
8201/ud 
8202-82 
8204/tc 
8204/ud 
8205/tc 
8205/ud 
8206/tc 
8206/ud 
8207/tc 
8207/ud 
8208/tc 
8208/ud 
8209-83 
8351/tc 
8351/ud 
8352-83 
8376/tc 
8376/ud 
8377/tec 
8377/ud 
8378/tc 
8378/ud 
8379/tc 
8379/ud 
8380/tc 
8380/ud 
8381-83 
8400/tc 
8400/ud 
8401/tc 
8401/ud 
8402/tc 
8402/ud 
8403/tc 
8403/ud 
8404-84 
8450/tc 
8450/ud 
8451-84 
8473/tc 
8473/ud 
8474-85 
8554/te 
8554/ud 
8555-87 
8733/tc 
8733/ud 
8734-87 
8763/tc 
8763/ud 
8764/tc 
8764/ud 
8765/tc 
8765/ud 
8766-88 
8804/tc 
8804/ud 
8805-88 
8880/tc 
8880/ud 
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INDIGO-VBCP 
INDIGO-VBCP 
Unassigned 
Patrol 

Patrol 

Patrol SNMP 
Patrol SNMP 
Unassigned 
TRIVNET 
TRIVNET 
TRIVNET 
TRIVNET 
Unassigned 

LM Perfworks 
LM Perfworks 
LM Instmgr 

LM Instmgr 

LM Dta 

LM Dta 

LM SServer 

LM SServer 

LM Webwatcher 
LM Webwatcher 
Unassigned 
Server Find 
Server Find 
Unassigned 
Cruise ENUM 
Cruise ENUM 
Cruise SWROUTE 
Cruise SWROUTE 
Cruise CONFIG 
Cruise CONFIG 
Cruise DIAGS 
Cruise DIAGS 
Cruise UPDATE 
Cruise UPDATE 
Unassigned 

cvd 

cvd 
sabarsd 
sabarsd 
abarsd 
abarsd 
admind 
admind 
Unassigned 
npmp 

npmp 
Unassigned 
Virtual P-to-P 
Virtual P-to-P 
Unassigned 
RTSP Alternate 
RTSP Alternate 
Unassigned 
iBus 

iBus 
Unassigned 
MC-APPSERVER 
MC-APPSERVER 
OPENQUEUE 
OPENQUEUE 
Ultraseek HTTP 
Ultraseek HTTP 
Unassigned 
truecm 

truecm 




















CDDBP 
CDDBP 
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community 
community 
ms-theater 
ms-theater 
gqadmifoper 
qadmifoper 
gadmifevent 
gqadmifevent 
symbios-raid 
symbios-raid 
direcpc-si 
direcpce-si 
lbm 

lbm 

lbf 

lbft 
high-criteria 
high-criteria 
qip-msgd 
qip-msgd 
mti-tcs-comm 
mti-tcs-comm 
taskman-port 
taskman-port 
seaodbc 
seaodbc 

es 

c3 

aker-cdp 
aker-cdp 
vitalanalysis 
vitalanalysis 
ace-server 
ace-server 
ace-svr-prop 
ace-svr-prop 
ssmM-CVS 
ssm-CVS 
ssm-CSSps 
ssm-CSSps 
ssm-els 
ssm-els 
lingwood 
lingwood 
giop 

giop 
giop-ssl 
giop-ssl 

tt 

tte 

ttc-ssl 
ttc-ssl 
netobjects1l 
netobjects1l 
netobjects2 
netobjects2 
pns 

pns 

moy-corp 
moy-corp 
tsilb 

tsilb 
qip-qdhcp 
qip-qdhcp 
conclave-cpp 
conclave-cpp 
groove 
groove 
talarian-mqs 
talarian-mqs 
bmc-ar 


2459/ 
2459/ 
2460/ 
2460/ 
2461/ 


2463/ 


2464/ 


2465/ 


2466/ 
2467/ 
2467/ 
2468/ 
2468/ 
2469/ 
2469/ 
2470/ 
2470/ 
2471/ 
2471/ 
2472/ 
2472/ 
2473/ 
2473/ 
2474/ 
2474/ 
2475/ 
2475/ 
2476/ 
2476/ 
2477/ 
2477/ 
2478/ 
2478/ 
2479/ 
2479/ 
2480/ 
2480/ 
2481/ 
2481/ 
2482/ 
2482/ 
2483/ 
2483/ 
2484/ 
2484/ 
2485/ 
2485/ 
2486/ 
2486/ 
2487/ 
2487/ 
2488/ 
2488/ 
2489/ 
2489/ 
2490/ 
2490/ 
2491/ 
2491/ 
2492/ 
2492/ 
2493/ 
2493/ 
2494/ 





ep 
udp 
top 
udp 
tcp 


tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
cp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
cp 
udp 
tcp 














Community 
Community 
ms-theater 
ms-theater 
gqadmifoper 
qadmifoper 
gqadmifevent 
gqadmifevent 
Symbios Raid 
Symbios Raid 
DirecPC SI 
DirecPC SI 

Load Balance Mgr 
Load Balance Mgr 
Load Balance Fwr 
Load Balance Fwr 
High Criteria 
High Criteria 
qip_msgd 
gip_msgd 
TI-TCS-COMM 
TI-TCS-COMM 
taskman port 
taskman port 
SeaODBC 

SeaODBC 

cs 

cs 

Aker-cdp 
Aker-cdp 

Vital Analysis 
Vital Analysis 
ACE Server 

ACE Server 

ACE Server 

ACE Server 





SecurSight 
SecurSight 
SecurSight (SLL) 
SecurSight (SSL) 
SecurSight (SSL) 
SecurSight (SSL) 
Lingwood's 
Lingwood's 
Oracle GIOP 
Oracle GIOP 
Oracle GIOP SSL 
Oracle GIOP SSL 
Oracle TTC 
Oracel TTC 
Oracle TTC SSL 
Oracle TTC SSL 


Net Objects1l 
Net Objects1l 
Net Objects2 
Net Objects2 
Policy Notice 
Policy Notice 
Moy Corporation 
Moy Corporation 
TSILB 

TSILB 

qip_qdhcp 
qip_qdhcp 
Conclave CPP 
Conclave CPP 
GROOVE 

GROOVE 

Talarian MOS 
Talarian MOS 
BMC AR 





1-te 
i-ud 
i=te 
i-ud 
i-tc 
i-ud 
i-tc 
i-ud 
i-tc 
i-ud 
i-tc 
i-ud 
i-tc 
i-ud 
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jmb-cds1l 
jmb-cds1 
jmb-cds2 
jmb-cds2 





cslistener 
cslistener 


websm 
websm 








netlockl 
netlockl 
netlock2 
netlock2 
netlock3 
netlock3 
netlock4 
netlock4 
netlock5 
netlock5 





wap-wsp 
wap-wsp 
wap-wsp-wtp 
wap-wsp-wtp 
wap-Wwsp-s 
wap-Wwsp-s 
wap-wsp-wtp-s 
wap-wsp-wtp-s 
wap-vcard 
wap-vcard 
wap-vcal 
wap-vcal 
wap-vcard-s 
wap-vcard-s 
wap-vcal-s 
wap-vcal-s 

# 

callwaveiam 
callwaveiam 

# 

guibase 
guibase 

# 

mpidcmgr 
mpidcmgr 
mphlpdmc 
mphlpdmc 

# 

fjdmimgr 
fjdmimgr 

# 








8881-88 
8888/tc 
8888/ud 
8889/tc 
8889/ud 
8890/tc 
8890/ud 
8891/tc 
8891/ud 
8892/tc 
8892/ud 
8893/tc 
8893/ud 
8894/tc 
8894/ud 
8895-88 
8900/tc 
8900/ud 
8901/tc 
8901/ud 
8902-89 
9000/tc 
9000/ud 
9001-90 
9006 

9007-90 
9090/tc 
9090/ud 
9091-91 
9160/tc 
60/ud 
61/tc 
61/ud 
62/tc 
62/ud 
63/tc 
63/ud 
64/tc 
64/ud 
9165-91 
9200/tc 
9200/ud 
9201/tc 
9201/ud 
9202/tc 
9202/ud 
9203/tc 
9203/ud 
9204/tc 
9204/ud 
9205/tc 
9205/ud 
9206/tc 
9206/ud 
S209 fhe 
9207/ud 
9208-92 
9283/tc 
9283/ud 
9284-93 
9321/tc 
9321/ud 
9322-93 
9343/tc 
9343/ud 
9344/tc 
9344/ud 
9345-93 
9374/tc 
9374/ud 
9375-93 
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Port list 
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Unassigned 
NewsEDGE TCP 1 
NewsEDGE UDP 1 
TCP 1 
NewSEDGE server 
TCP 2 
NewSEDGE 
NESS app 
NESS app 
FARM product 
FARM product 
NewsSEDGE 
NewSEDGE 
COAL app 
COAL app 
Unassigned 
JMB-CDS 1 
JMB-CDS 1 
JMB-CDS 2 
JMB-CDS 2 
Unassigned 
CSlistener 
CSlistener 
Unassigned 
De-Commissioned 
Unassigned 
WebSM 
WebSM 
Unassigned 
Net LOCK1 
Net LOC 
Net LOC 
Net LOC 
Net LOC 
Net LOC 
Net LOC 
Net LOC 
Net LOC 
Net LOCK5 
Unassigned 
WAP 
WA 
WA 
WA 
WA 
WA 
WA 
WA 


P 
P 
P 
P 
P 
P 
P 
WAP 
P 
P 
P 
P 
P 
P 
P 
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session 
session 
secure 
secure 
secure 
secure 
vCard 
vCard 
vCal 
vCal 
vCard 
vCard 
WAP vCal Secure 
WAP vCal Secure 
Unassigned 
CallWaveIAM 
CallWaveIAM 
Unassigned 
guibase 
guibase 
Unassigned 
MpIdcMgr 
MpIdcMgr 
Mphlpdmc 
Mphlpdmc 
Unassigned 
fjdmimgr 
fjdmimgr 
Unassigned 


WA 
WA 
WA 
WA 
WA 





866 


bmc-ar 
fast-rem-serv 
fast-rem-serv 
dirgis 

dirgis 

quaddb 

quaddb 
odn-castraq 
odn-castraq 
unicontrol 
unicontrol 
rtsserv 
rtsserv 
rtsclient 
rtsclient 
kent rox-prot 
kent rox-prot 
nms-—dpnss 
nms-—dpnss 
wlbs 

wlbs 
torque-traffic 
torque-traffic 
jbroker 
jbroker 

spock 

spock 
jdatastore 
jdatastore 
fijmpss 

fijmpss 
fjappmgrbulk 
fjappmgrbulk 
metastorm 
metastorm 
citrixima 
citrixima 
citrixadmin 
citrixadmin 
facsys-ntp 
facsys-ntp 
facsys-router 
facsys-router 
maincontrol 
maincontrol 
call-sig-trans 
call-sig-trans 
willy 

willy 
globmsgsvc 
globmsgsvc 
pvsw 

pvsw 
adaptecmgr 
adaptecmgr 
windb 

windb 
qke-llc-v3 
qke-llc-v3 
optiwave-lm 
optiwave-lm 
ms-—v-worlds 
ms-—v-worlds 
ema-sent-—1m 
ema-sent-—1m 
igserver 
igqserver 

nér cel 
ner-cel 
utsftp 

utsftp 








2506/tcp 
2506/udp 
2507/tcp 
2507/udp 
2508/tcp 
2508/udp 
2509/tcp 
2509/udp 
2510/tcp 
2510/udp 
2511/tecp 
2511/udp 
2512/tcp 
2512/udp 
2513/tep 
2513/udp 
2514/tcp 
2514/udp 
2515/tep 
2515/udp 
2516/tcp 
2516/udp 
2517/tcp 
2517/udp 
2518/tcp 
2518/udp 
2519/tcp 
2519/udp 
2520/tcp 
2520/udp 
2521/tep 
2521/udp 
2522/tecp 
2522/udp 
2523/tcp 
2523/udp 
2524/tcp 
2524/udp 
2525/tcp 
2525/udp 
2526/tcp 
2526/udp 
2527/tcp 
2527/udp 
2528/tcp 
2528/udp 
2529/tep 
2529/udp 








BMC AR 

Fast Remote Serv 
Fast Remote Serv 
DIRGIS 

DIRGIS 

Quad DB 

Quad DB 
ODN-CasTraq 
ODN-CasTraq 
UniControl 
UniControl 
Resource Track 
Resource Track 
Resource Track 
Resource Track 
Kentrox Protocol 
Kentrox Protocol 
NMS-DPNSS 
NMS-DPNSS 

WLBS 

WLBS 
torque-traffic 
torque-traffic 
jbroker 

jbroker 

spock 

spock 
JDataStore 
JDataStore 
fijmpss 

fijmpss 
fjappmgrbulk 
fjappmgrbulk 
Metastorm 
Metastorm 
Citrix IMA 
Citrix IMA 
Citrix ADMIN 
Citrix ADMIN 
Facsys NIP 
Facsys NTP 
Facsys Router 
Facsys Router 
Main Control 
Main Control 
H.323 Annex E 
H.323 Annex E 
Willy 

Willy 
globmsgsvc 
globmsgsvc 

pvsw 

pvsw 

Adaptec Manager 
Adaptec Manager 
WinDb 

WinDb 

Qke LLC V.3 

Qke LLC V.3 
Optiwave 
Optiwave 

MS V-Worlds 

MS V-Worlds 

EMA License Mgr 
EMA License Mgr 
IQ Server 

IQ Server 

NCR CCL 

NCR CCL 

UTS FTP 

UTS FTP 





fjinvmgr 
fjinvmgr 
mpidcagt 
mpidcagt 
ci 
ismserver 
ismserver 


msgsys 
msgsys 

pds 

pds 

# 
micromuse-ncpw 
micromuse-ncpw 
# 

rasadv 

rasadv 

# 

sd 

sd 
cyborg-systems 
cyborg-systems 
monkeycom 
monkeycom 
sctp-tunneling 
sctp-tunneling 
iua 

iua 

# 

domaintime 
domaintime 

# 
apcpcpluswinl 
apcpcpluswinl 
apcpcpluswin2 
apcpcpluswin2 
apcpcpluswin3 
apcpcpluswin3 
# 

palace 

palace 

palace 

palace 

palace 

palace 

palace 

palace 

palace 

palace 

palace 

palace 
distinct32 
distinct32 
distinct 
distinct 

ndmp 

ndmp 








mvs-capacity 
mvs-capacity 


amanda 
amanda 





netiq-endpoint 
netiq-endpoint 
netiq-qcheck 


9396/tc 
9396/ud 
9397/tc 
9397/ud 
9398-94 
9500/tc 
9500/ud 
9501-95 
9535/tc 
9535/ud 
9536-95 
9594/tc 
9594/ud 
9595/tc 
9595/ud 
9596-95 
9600/tc 
9600/ud 
9601-97 
9753/tc 
9753/ud 
9754-98 
9876/tc 
9876/ud 
9888/tc 
9888/ud 
9898/tc 
9898/ud 
9899/tc 
9899/ud 
9900/tc 
9900/ud 
9901-99 
9909/tc 
9909/ud 
9910-99 
9950/tc 
9950/ud 
9951/tc 
9951/ud 
8952/tS 
9952/ud 
9953-99 
9992/tc 
9992/ud 
9993/tc 
9993/ud 
9994/tc 
9994/ud 
9995/tc 
9995/ud 
9996/tc 
9996/ud 
SS Oy ie 
9997/ud 
9998/tc 
9998/ud 
9999/tc 
9999/udp 
0000/tcp 
0000/udp 
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0007/tcp 
0007/udp 


0080/tcp 
0080/udp 


0113/tcp 
0113/udp 
0114/tcp 
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fjinvmgr 
fjinvmgr 
MpIdcAgt 
MpIdcAgt 
Unassigned 
ismserver 
ismserver 
Unassigned 


Unassigned 
Message System 
Message System 
Ping Discovery 
Ping Discovery 
Unassigned 
MICROMUSE-NCPW 
MICROMUSE-NCPW 
Unassigned 
rasadv 

rasadv 
Unassigned 
Session Direct 
Session Direct 
CYBORG Systems 
CYBORG Systems 
MonkeyCom 
MonkeyCom 

SCTP TUNNELING 
SCTP TUNNELING 
IUA 

IUA 

Unassigned 
domaintime 
domaintime 
Unassigned 
APCPCPLUSWIN1 
APCPCPLUSWIN1 
APCPCPLUSWIN2 
APCPCPLUSWIN2 
APCPCPLUSWIN3 
APCPCPLUSWIN3 
Unassigned 
Palace 

Palace 

Palace 

Palace 

Palace 

Palace 

Palace 

Palace 

Palace 

Palace 

Palace 

Palace 
Distinct32 
Distinct32 
distinct 
distinct 
Network Data 
Network Data 











0001-10006 Unassigned 


MVS Capacity 
MVS Capacity 


0008-10079 Unassigned 


Amanda 
Amanda 


0081-10112 Unassigned 


NetIQ Endpoint 
NetIQ Endpoint 
NetIQ Qcheck 
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vrcommerce 
vrcommerce 
ito-e-gui 
ito-e-gui 
ovtopmd 
ovtopmd 
snifferserver 
snifferserver 
combox-—web-acc 
combox-—web-acc 
madcap 

madcap 
btppZaudctrl 
btppZaudctrl 
upgrade 
upgrade 
vnwk-prapi 
vnwk-prapi 
vsiadmin 
vsiadmin 
lonworks 
lonworks 
lonworks2 
lonworks2 
davinci 
davinci 

reftek 

reftek 
novell-zen 
novell-zen 
sis-emt 
sis-emt 
vytalvaultbrtp 
vytalvaultbrtp 
vytalvaultvsmp 
vytalvaultvsmp 
vytalvaultpipe 
vytalvaultpipe 
ipass 

ipass 

ads 

ads 
isg-uda-server 
isg-uda-server 
call-logging 
call-logging 
efidiningport 
efidiningport 
vcenet-link-v10 
vcenet-link-v10 
compaq-wcp 
compaq-wcp 
nicetec-nmsvc 
nicetec-nmsvc 
nicetec-mgmt 
nicetec-mgmt 
pclemultimedia 
pclemultimedia 
lstp 

lstp 

labrat 

labrat 
mosaixcc 
mosaixcc 
delibo 

delibo 
cti-redwood 
cti-redwood 
hp-3000-telnet 
coord-svr 
coord-svr 


2530/ 
2530/ 
2531/ 
2531/ 
2532/ 
2532/ 
2533/ 
2533/ 
2534/ 
2534/ 
2535/7 
2535/ 
2536/ 
2536/ 
2537/ 
2537/ 
2538/ 
2538/ 
2539/ 
2539/ 
2540/ 
2540/ 
2541/ 
2541/ 
2542/ 
2542/ 
2543/ 
2543/ 
2544/ 
2544/ 
2545/ 
2545/ 
2546/ 
2546/ 
2547/ 
2547/ 
2548/ 
2548/ 
2549/ 
2549/ 
2550/ 
2550/ 
2551/ 
2551. 
2552/ 
2552/ 
25537, 
2553/ 
2554/ 
2554/ 
2555/ 
2559: 
2556/ 
2556/ 
2557/ 
2557/ 
2558/ 
2558/ 
2559/ 
25.9.9/ 
2560/ 
2560/ 
2561/ 
2561/ 
2562/ 
2562/ 
2563/ 
2563/ 
2564/ 
2565/ 
2565/ 





Pep 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
tcp 
tcp 
udp 
top 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
tcp 
udp 














VR Commerce 

VR Commerce 
ITO-E GUI 

ITO-E GUI 
OVTOPMD 

OVTOPMD 
SnifferServer 
SnifferServer 
Combox Web Acc 
Combox Web Acc 
MADCAP 

MADCAP 
btppZaudctrl 
btppZaudctrl 
Upgrade Protocol 
Upgrade Protocol 
vnwk-prapi 
vnwk-prapi 

VSI Admin 
VSI Admin 
LonWorks 
LonWorks 
LonWorks2 
LonWorks2 
daVinci 
daVinci 
REF TERK 
REF TERK 
Novell ZE 
Novell ZE 
sis-emt 
sis-emt 
vytalvaultbrtp 
vytalvaultbrtp 
vytalvaultvsmp 
vytalvaultvsmp 
vytalvaultpipe 
vytalvaultpipe 
IPASS 

IPASS 

ADS 

ADS 

ISG UDA Server 
ISG UDA Server 
Call Logging 
Call Logging 
efidiningport 
efidiningport 
vCnet-Link v10 
vCnet-Link v10 
Compaq WCP 
Compaq WCP 
nicetec-nmsvc 
nicetec-nmsvc 
nicetec-mgmt 
nicetec-mgmt 
PCLE Multi Media 
PCLE Multi Media 
LSTP 

LSTP 

labrat 

labrat 

MosaixCC 
MosaixCC 

Delibo 

Delibo 

CTI Redwood 

CTI Redwood 

HP 3000 NS/VT 
Coordinator Serv 
Coordinator Serv 








netiq-qcheck 
ganymede-endpt 
ganymede-endpt 
# 

bmc-perf-sd 
bmc-perf-sd 

# 

blocks 

blocks 

# 

irisa 

irisa 

metasys 
metasys 


vce 
vce 


atm-uhas 
atm-uhas 


h323callsigalt 
h323callsigalt 








entextxid 
entextxid 
entextnetwk 
entextnetwk 
entexthigh 
entexthigh 
entextmed 
entextmed 
entextlow 
entextlow 


hivep 
hivep 


tsaf 
tsaf 


b= Zi gd 
i-zipgqd 








powwow-client 
powwow-client 
powwow-server 
powwow-server 


prd 

prd 

pbrm 

pbrm 
pjava-msvc 
pjava-msvc 


pcd 
pcd 
vopied 
vopied 


TO OOO COO # 





smcc-—config 
smcc-config 
smcc-session 
smcc-session 
smcc-passthru 
smcc-passthru 
smcc-download 
smcc-download 
smcc-—ccp 
smcc-ccp 
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0114/ud 
0115/te 
0115/ud 
0116-10 
0128/tc 
0128/ud 
0129-10 
0288/tc 
0288/ud 
0289-10 
000/tc 
000/ud 
001/tc 
001/ud 
002- 
LIL/te 
111/ud 
112= 
367/tc 
367/ud 
368- 
720/tc 
720/ud 
2 
2000/tc 
2000/ud 
2001/tec 
2001/ud 
2002/tc 
2002/ud 
2003/tec 
2003/ud 
2004/tc 
2004/ud 
2005-12 

















3224/ud 
3225-13 
3720/tc 
3720/ud 
S721 /te 
3721/ud 
3722/te 
3722/ud 
3723-13 
3782/tc 
3782/ud 
3783/te 
3783/ud 
3784-13 
3818/tc 
3818/ud 
3819/tc 
3819/ud 
3820/tc 
3820/ud 
3821/tc 
3821/ud 
3822/tc 
3822/ud 





ot 
87 


99 


10 


66 


aL 
52 
59 


22 


1g 


81 


p 
p 
p 
1 
p 
p 
2 
p 
p 
9 
p 
p 
p 
p 
1 
p 
p 
3 
p 
p 
7 
p 
p 
9 
p 
p 
p 
p 
p 
p 
p 
p 
p 
p 
1 
p 
p 
7 
p 
p 
1 
p 
p 
2 
p 
p 
p 
p 
7 
p 
p 
p 
p 
p 
p 
7 
p 
p 
p 
p 
817 
p 

p 

p 

p 

p 

p 

p 

p 

p 

p 
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NetIQ Qcheck 
Ganymede 
Ganymede 
Unassigned 
BMC-PERFORM 
BMC-PERFORM 
Unassigned 
Blocks 
Blocks 
Unassigned 
IRISA 
IRISA 
Metasys 
Metasys 
Unassigned 
iral (VCE) 
iral (VCE) 
Unassigned 
TM UHAS 
TM UHAS 
Unassigned 
323 Call Signal 
323 Call Signal 
Unassigned 
BM Enterprise 
BM Enterprise 
BM Enterprise 
BM Enterprise 
BM Enterprise 
BM Enterprise 
BM Enterprise 
BM Enterprise 
BM Enterprise 
BM Enterprise 
Unassigned 
HiveP 
HiveP 
Unassigned 
tsaf port 
tsaf port 
Unassigned 
I-ZIPQD 
I-ZIPQD 
Unassigned 
PowWow Client 
PowWow Client 
PowWow Server 
PowWow Server 
Unassigned 
BPRD Protocol 
BPRD Protocol 
BPBRM Protocol 
BPBRM Protocol 
BP Java MSVC 
BP Java MSVC 
Unassigned 
VERITAS 
VERITAS 
VOPIED Protnocol 
VOPIED Protocol 
Unassigned 
DSMCC Config 
DSMCC Config 
DSMCC Session 
DSMCC Session 
DSMCC Pass-Thru 
DSMCC Pass-Thru 
DSMCC Download 
DSMCC Download 
DSMCC Channel 
DSMCC Channel 


Vv 
Vv 





























868 


pcs-pcw 
pcs-pcw 

clp 

clp 

spamtrap 
spamtrap 
sonuscallsig 
sonuscallsig 
hs-port 
hs-port 

cecsvc 

cecsvc 

ibp 

ibp 
trustestablish 
trustestablish 
blockade-bpsp 
blockade-bpsp 
hl7 

hl7 
tclprodebugger 
tclprodebugger 
scipticslsrvr 
scipticslsrvr 
rvs-isdn-dcp 
rvs-isdn-dcp 
mpfoncl 
mpfoncl 
tributary 
tributary 
argis-te 
argis-te 
argis-ds 
argis-—ds 

mon 

mon 

cyaserv 
cyaserv 
netx-server 
netx-server 
netx-agent 
netx-agent 
masc 

masc 

privilege 
privilege 
quartus-tcl 
quartus-tcl 
idotdist 
idotdist 
maytagshuffle 
maytagshuffle 
netrek 

netrek 
mns-—mail 
mns-mail 

dts 

dts 
worldfusionl 
worldfusionl 
worldfusion2 
worldfusion2 
homesteadglory 
homesteadglory 
citriximaclient 
citriximaclient 
meridiandata 
meridiandata 
hpstgmgr 
hpstgmgr 
discp-client 


2566/ 
2566/ 
2567/ 
2567/ 
2568/ 
2568/ 
2569/ 
2569/ 
2570/ 
2570/ 
2571/ 
2571/ 
2572 
2572/ 
2573/ 
2573/ 
2574/ 
2574/ 
2575/ 
2575/. 
2576/ 
2576/ 
2574-/- 
2577/ 
2578/ 
2578/ 
2579/ 
2579/ 
2580/ 
2580/ 
2581/ 
2581/ 
2582/ 
2582/ 
2583/ 
2583/ 
2584/ 
2584/ 
2585/ 
2585/ 
2586/ 
2586/ 
2587/ 
2587/ 
2588/ 
2588/ 
2589/ 
2589/ 
2590/ 
2590/ 
2591/ 
2591/ 
2592/ 
2592/ 
2593/ 
2593/ 
2594/ 
2594/ 
2595/ 
2595/ 
2596/ 
2596/ 
2597/ 
2597/ 
2598/ 
2598/ 
2599/ 
2599/ 
2600/ 
2600/ 
2601/ 


tep 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
top 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
top 
udp 
tcp 
udp 
EEp 














pcs-pcw 
pcs-pcw 

Cisco Line Proto 
Cisco Line Proto 
SPAM TRAP 

SPAM TRAP 

Sonus Call Sign 
Sonus Call Sign 
HS Port 

HS Port 

CECSVC 

CECSVC 

IBP 

IBP 

Trust Establish 
Trust Establish 
Blockade BPSP 
Blockade BPSP 
HL7 

HL7 

TCL Pro Debugger 
TCL Pro Debugger 
Scriptics Lsrvr 
Scriptics Lsrvr 
RVS ISDN DCP 

RVS ISDN DCP 
mpfoncl 

mpfoncl 
Tributary 
Tributary 

ARGIS TE 

ARGIS TE 

ARGIS DS 

ARGIS DS 

ON 

ON 

cyaserv 

cyaserv 

ETX Server 

ETX Server 

ETX Agent 

ETX Agent 

IASC 

ASC 

Privilege 
Privilege 
quartus tcl 
quartus tcl 
idotdist 
idotdist 

Maytag Shuffle 
Maytag Shuffle 
netrek 

netrek 

MNS Mail Notice 
MNS Mail Notice 
Data Base Server 
Data Base Server 
World Fusion 1 
World Fusion 1 
World Fusion 2 
World Fusion 2 
Homestead Glory 
Homestead Glory 
Citrix MA Client 
Citrix MA Client 
Meridian Data 
Meridian Data 
HPSTGMGR 
HPSTGMGR 

discp client 











# 
itu-sccp-ss7 
itu-sccp-ss7 
# 
netserialextl 
netserialextl 
netserialext2 
netserialext2 
# 
netserialext3 
netserialext3 
netserialext4 
netserialext4 





intel-rci-mp 
intel-rci-mp 


isode-dua 
isode-dua 


chipper 
chipper 


biimenu 
biimenu 








psec-cvp 
psec-cvp 
psec-ufp 
psec-ufp 
psec-sam 
psec-sam 
psec-lea 
psec-lea 
psec-omi 
psec-omi 


psec-ela 
psec-ela 
c-cluster 
c-cluster 


99 O00#0 000000000 


o@ 


pc-necmp 
pc-necmp 


o@ 


fe) 


psec—uaa 
psec—uaa 





ie) 


keysrvr 
keysrvr 


keyshadow 
keyshadow 





hp-sco 
hp-sco 
hp-sca 
hp-sca 
hp-sessmon 
hp-sessmon 


jcp 


Q 


np 
dnp 


track 
track 








athand-mmp 
athand-mmp 


0 





Oe 
fee} 
oO 
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3823-14000 Unassigned 
ITU SCCP (SS7) 
ITU SCCP (SS7) 
359 Unassigned 
netserialextl 
netserialextl 
netserialext2 
netserialext2 
366 Unassigned 
netserialext3 
netserialext3 
netserialext4 
netserialext4 


Unassigned 
INTEL-RCI-MP 
INTEL-RCI-MP 
Unassigned 





Unassigned 
Chipper 
Chipper 
Unassigned 
Beckman Inc. 
Beckman Inc. 
Unassigned 
PSEC CVP 
PSEC CVP 
PSEC UFP 
PSEC UFP 
PSEC SAM 
PSEC SAM 
PSEC LEA 
PSEC LEA 
PSEC OMI 
PSEC OMI 
nassigned 
PSEC ELA 
PSEC ELA 
C Cluster 
C Cluster 
Unassigned 
PCNECMP 
PCNECMP 
Unassigned 
opsec-—uaa 
opsec—uaa 
Unassigned 
ey Server 
ey Server 
Unassigned 
ey Shadow 
ey Shadow 
Unassigned 
hp-sco 
hp-sco 
hp-sca 
hp-sca 
H 
H 








PPOOGCOOOCCOCO0O0C0O 


> Pp 








P-SESSMON 
P—-SESSMON 
Unassigned 
JCP Client 
Unassigned 
DNP 

DNP 
Unassigned 
Track 

Track 
Unassigned 
At Hand MMP 
AT Hand MMP 














discp-client 
discp-server 
discp-server 
servicemeter 
servicemeter 
nse-—ces 
nsc-ccs 
nsc-—posa 
nsc—posa 
netmon 

netmon 
connection 
connection 
wag-service 
wag-service 
system-monitor 
system-monitor 
versa-tek 
versa-tek 
lionhead 
lionhead 
qpasa-agent 
qpasa-agent 
smntubootstrap 
smntubootstrap 
neveroffline 
neveroffline 
firepower 
firepower 
appswitch-emp 
appswitch-emp 
cmadmin 
cmadmin 
priority-e-com 
priority-e-com 
bruce 

bruce 
lpsrecommender 
lpsrecommender 
miles-apart 
miles-apart 
metricadbc 
metricadbc 
imdp 

imdp 

aria 

aria 
blwnkl-port 
blwnkl-port 

gb jd816 

gb jd816 
moshebeeri 
moshebeeri 
dict 

dice 
sitaraserver 
sitaraserver 
sitaramgmt 
sitaramgmt 
sitaradir 
sitaradir 
irdg-post 
irdg-post 
interintelli 
interintelli 
pk-electronics 
pk-electronics 
backburner 
backburner 
solve 

solve 








2601/ 
2602/ 
2602/ 
2603/ 
2603/ 
2604/ 
2604/ 
2605/ 
2605/ 
2606/ 
2606/ 
2607/ 
2607/ 
2608/ 
2608/ 
2609/ 
2609/ 
2610/ 
2610/ 
2611/ 
2611/ 
2612/ 
2612/ 
2613/ 
2613/ 
2614/ 
2614/ 
2615/ 
2615/ 
2616/ 
2616/ 
2617/ 
2617/ 
2618/ 
2618/ 
2619/ 
2619/ 
2620/ 
2620/ 
2621/ 
2621/ 
2622/ 
2622/ 
2623/ 
2623/ 
2624/ 
2624/ 
2625/ 
2625/ 
2626/ 
2626/ 
2627/ 
2627/ 
2628/ 
2628/ 
2629/ 
2629/ 
2630/ 
2630/ 
2631/ 
2631/ 
2632/ 
2632/ 
2633/ 
2633/ 
2634/ 
2634/ 
2635/ 
2635/ 
2636/ 
2636/ 


udp 
ep 
udp 
tcp 
udp 
tcp 
udp 
cp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
top 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
cp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 
tcp 
udp 














discp client 
discp server 
discp server 
Service Meter 
Service Meter 
NSC CCS 

NSC CCS 

NSC POSA 

NSC POSA 

Dell Netmon 
Dell Netmon 
Dell Connection 
Dell Connection 
Wag Service 
Wag Service 
System Monitor 
System Monitor 
VersaTek 
VersaTek 
LIONHEAD 
LIONHEAD 

Qpasa Agent 
Qpasa Agent 
SMNTUBootstrap 
SMNTUBootstrap 
Never Offline 
Never Offline 
firepower 
firepower 
appswitch-emp 
appswitch-emp 


Clinical Context 
Clinical Context 


Priority E-Com 
Priority E-Com 
bruce 

bruc 
LPSRecommender 
LPSRecommender 
Miles Apart 
Miles Apart 
Met ricaDBC 

Met ricaDBC 
LMDP 

LMDP 

Aria 

Aria 

Blwnkl Port 
Blwnkl Port 

gb jd816 

gb jd816 

Moshe Beeri 
Moshe Beeri 
DICT 
DICT. 
Sitara 
Sitara 
Sitara 
Sitara 
Sitara Dir 
Sitara Dir 
IRdg Post 

IRdg Post 
InterIntelli 
InterIntelli 
PK Electronics 
PK Electronics 
Back Burner 
Back Burner 
Solve 

Solve 


Server 
Server 
Mgrt 
Mgr 








# 
vofr-gateway 
vofr-gateway 
# 

webphone 
webphone 
netspeak-is 
netspeak-is 
netspeak-cs 
netspeak-cs 
netspeak-acd 
netspeak-acd 
netspeak-cps 
netspeak-cps 
# 

snapenetio 
snapenetio 
optocontrol 
optocontrol 





wnn6 
wnn6 


aws-brf 
aws-brf 











intel_rci 
intel_rci 

# 

binkp 

binkp 

# 
icl-twobasel 
icl-twobasel 
icl-twobase2 
icl-twobase2 
icl-twobase3 
icl-twobase3 
icl-twobase4 
icl-twobase4 
icl-twobase5 
icl-twobase5 
icl-twobase6 
icl-twobase6 
icl-twobase7 
icl-twobase7 
icl-twobase8 
icl-twobase8 
icl-twobase9 
icl-twobase9 
icl-twobasel0 
icl-twobasel0 
# 


vocaltec-hos 





20300-21 
590/tc 
590/ud 
591-21 
845/tc 
845/ud 
846/tc 
846/ud 
847 /te 
847/ud 
848/tc 
848/ud 
849/tc 
849/ud 
21850-21 
22000/tc 
22000/ud 
22001/tc 
22001/ud 
22002-22 
peetalte 
22273/ud 
22556-22 
22800/tc 
22800/ud 
22801-22 
2295 1L/ te 
22951/ud 
22952-23 
24000/tc 
24000/ud 
24001/tc 
24001/ud 
24002/tc 
24002/ud 
24003/tc 
24003/ud 
24004/tec 
24004/ud 
24005/tc 
24006/tc 
24006/ud 
24007-24 
24386/tc 
24386/ud 
24387-24 
24554/te 
24554/ud 
24555-24 
25000/tc 
25000/ud 
25001/tc 
25001/ud 
25002/tc 
25002/ud 
25003/tc 
25003/ud 
25004/tc 
25004/ud 
25005/tc 
25005/ud 
25006/tc 
25006/ud 
250077 ts 
25007/ud 
25008/tc 
25008/ud 
25009/tc 
25009/ud 
25010-25 
Bod SS) ie 
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589 Unassigned 
p VoFR Gateway 
p VoFR Gateway 
844 Unassigned 
p webphone 
webphone 

Net Speak 

Net Speak 

Net Speak 

Net Speak 

Net Speak 

Net Speak 

Net Speak 

p NetSpeak 

999 Unassigned 
p SNAPenetIO 

p SNAPenetIO 

p OptoControl 
p OptoControl 
272 Unassigned 
p wnn6 
p wnn6 
799 Unassigned 
p Telerate LAN 
p Telerate LAN 
950 Unassigned 
p Telerate WAN 
p Telerate WAN 
999 Unassigned 
med-ltp 
med-ltp 
med-fsp-rx 
med-fsp-rx 
med-fsp-tx 
med-fsp-tx 
med-supp 
med-supp 
med-ovw 
med-ovw 
med-ci 
med-net-svc 
med-net-svc 
385 Unassigned 
p Intel RCI 

p Intel RCI 
553 Unassigned 
p BINKP 

p BINKP 

999 Unassigned 
p icl-twobasel 
p icl-twobasel 
p icl-twobase2 
p icl-twobase2 
p icl-twobase3 
p icl-twobase3 
p icl-twobase4 
p icl-twobase4 
p icl-twobase5 
p icl-twobase5 
p icl-twobase6é 
p icl-twobase6 
p 
p 
p 
p 
p 
p 
p 
p 
7 
p 


OO Oe Oo 











0 
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icl-twobase7 
icl-twobase7 
icl-twobase8 
icl-twobase8 
icl-twobase9 
icl-twobase9 
icl-twobasel0 
icl-twobasel10 
92 Unassigned 
Vocaltec 








870 


imdocsvec 
imdocsvc 
sybaseanywhere 
sybaseanywhere 
aminet 

aminet 
sai_sentlm 
sai_sentlm 
hdl-srv 
hdl-srv 

tragic 

tragic 
gte-samp 
gte-samp 
travsoft-ipx-t 
travsoft-ipx-t 
novell-ipx-cmd 
novell-ipx-cmd 
and-lm 

and-lm 
syncserver 
syncserver 
upsnotifyprot 
upsnotifyprot 
vpsipport 
vpsipport 
eristwoguns 
eristwoguns 
ebinsite 
ebinsite 
interpathpanel 
interpathpanel 
sonus 

sonus 
corel_vncadmin 
corel_vncadmin 
unglue 

unglue 

kana 

kana 
sns-dispatcher 
sns-dispatcher 
sns-admin 
sns-admin 
sns-query 
sns-query 
gcemonitor 
gcemonitor 
olhost 

olhost 
bintec-capi 
bintec-capi 
bintec-tapi 
bintec-tapi 
command-mq-gm 
command-mq-gm 
command-mq-pm 
command-mq-pm 
extensis 
extensis 


2637/tcp 
2637/udp 


2638/ 


tcp 


2638/udp 


2639/ 


tcp 


2639/udp 


2640/ 


tcp 


2640/udp 


2641/ 


tcp 


2641/udp 


2642/ 


tcp 


2642/udp 


2643/ 


tcp 


2643/udp 


2644/ 





tcp 


2644/udp 
2645/tcp 
2645/udp 
2646/tcp 
2646/udp 


2647/ 


tcp 


2647/udp 


2648/ 


tcp 


2648/udp 


2649/ 





tcp 


2649/udp 


2650/ 


tcp 


2650/udp 
2651/tcp 
2651/udp 


2652/ 





tcp 


2652/udp 
2653/tcp 
2653/udp 
2654/tcp 
2654/udp 


2655/ 


tcp 


2655/udp 


2656/ 


tcp 


2656/udp 


2657/ 


tcp 


2657/udp 


2658/ 


tcp 


2658/udp 


2659/ 


tcp 


2659/udp 


2660/ 


tcp 


2660/udp 


2661/ 





tcp 


2661/udp 
2662/tcp 
2662/udp 
2663/tcp 
2663/udp 
2664/tcp 
2664/udp 
2665/tcp 
2665/udp 
2666/tcp 
2666/udp 


Document 
Document 
Anywhere 
Anywhere 


Import 
Import 
Sybase 
Sybase 
AMInet 
AMInet 
Sabbagh 
Sabbagh 
HDL Server 

HDL Server 
Tragic 

Tragic 

GTE-SAMP 
GTE-SAMP 
Travsoft IPX 
Travsoft IPX 
Novell IPX CMD 
Novell IPX CMD 
AND Licence Mgr 
AND License Mgr 
SyncServer 
SyncServer 
Upsnotifyprot 
Upsnotifyprot 
VPSIPPORT 
VPSIPPORT 
eristwoguns 
eristwoguns 
EBInSite 
EBInSite 
InterPathPanel 
InterPathPanel 
Sonus 

Sonus 

Corel VNC Admin 
Corel VNC Admin 
UNIX Nt Glue 

IX Nt Glue 
ana 

ana 

Dispatcher 
Dispatcher 
Admin 

Admin 

Query 

Query 

C Monitor 

C Monitor 
LHOST 

OLHOST 
BinTec-CAPI 
BinTec-CAPI 
BinTec-TAPI 
BinTec-TAPI 
Command MQ GM 
Command MQ GM 
Command MQ PM 
Command MQ PM 
extensis 
extensis 





U 
K 
K 
SNS 
SNS 
SNS 
SNS 
SNS 
SNS 
G 

G 

Oo 








vocaltec-hos 


quake 
quake 


wnn6-ds 
wnn6-ds 


flex-lm 


tw-auth-key 
tw-auth-key 








filenet-tms 
filenet-tms 
filenet-rpc 
filenet-rpc 
filenet-nch 
filenet-nch 


traceroute 
traceroute 


kastenxpipe 
kastenxpipe 


cscp 
cscp 


rockwell-encap 
rockwell-encap 


eba 
eba 


ssr-servermgr 
ssr-servermgr 


dbbrowse 
dbbrowse 


directplaysrvr 
directplaysrvr 


ap 
ap 


bacnet 
bacnet 








nimcontroller 
nimcontroller 
nimspooler 
nimspooler 
nimhub 

nimhub 

nimgtw 

nimgtw 


# 


25793/ud 
25794-25 
26000/tc 
26000/ud 
26001-26 
26208/tc 
26208/ud 
26209-26 
27000-27 
27008-27 
27999/tc 
27999/ud 
28000-32 
32768/tc 
32768/ud 
32769/te 
32769/ud 
32770/tc 
32770/ud 
32771-33 
33434/tec 
33434/ud 
33435-36 
36865/tc 
36865/ud 
36866-40 
40841/tc 
40841/ud 
40842-43 
44818/tc 
44818/ud 
44819-45 
45678/tc 
45678/ud 
45679-45 
45966/tc 
45966/ud 
45967-47 
47557 /te 
47557/ud 
47558-47 
47624/tc 
47624/ud 
47625-47 
47806/tc 
47806/ud 
47807 

47808/tc 
47808/ud 
47809-47 
48000/tc 
48000/ud 
48001/tc 
48001/ud 
48002/tc 
48002/ud 
48003/tc 
48003/ud 





p 
999 
p 

p 


33 


64 


40 


87 


77 


65 


56 


05 


CTT OTT HDTV OTT VOT TT DTT HETUTU OTT OTT £TTTTUTD 


Ne} 
Ne} 


0 '0 0 0 'O OO O'U 'O 





p 
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Vocaltec 
Unassigned 
quake 

quake 
Unassigned 
wnn6-ds 
wnn6-ds 
Unassigned 
FLEX LM (1-10) 
Unassigned 
TW 
Attribute 
Unassigned 
Filenet TMS 
Filenet TMS 
Filenet RPC 
Filenet RPC 
Filenet NCH 
Filenet NCH 
Unassigned 
raceroute 
raceroute 
Unassigned 
KastenX Pipe 
KastenX Pipe 
Unassigned 
SCP 

SCP 
Unassigned 
ockwell Encaps 
ockwell Encaps 
Unassigned 
EBA PRISE 
EBA PRISE 
Unassigned 
SSRServerMgr 
SSRServerMgr 
Unassigned 
Databeam Corp 
Databeam Corpo 
Unassigned 
Direct Play Serv 
Direct Play Serv 
Unassigned 
ALC Protocol 
ALC Protocol 
Unassigned 
B 
B 











use 


i 
t use 


Cc 
C 


R 
R 











uilding Aut 
uilding Aut 
Unassigned 
Nimbus Control 
Nimbus Control 
Nimbus Spooler 
Nimbus Spooler 
Nimbus Hub 
Nimbus Hub 
Nimbus Gateway 
Nimbus Gateway 








48004-49151 Unassigne 
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Trojan Ports: 
This is a list of ports commonly used by Trojan horses. Please note that all ports are TCP unless 
UDP is stated. 


Decimal Trojan (s) 

















2 - Death 
21 - Back Construction, Blade Runner, Doly Trojan, Fore, FTP trojan, Invisible 
FTP, Larva, MBT, Motiv, Net Administrator, Senna Spy FTP Server, WebEx, WinCrash 
23 - Tiny Telnet Server, Truva Atl 
25 - Aji, Antigen, Email Password Sender, Gip, Happy 99, I Love You, Kuang 2, 
Magic Horse, Moscow Email Trojan, Naebi, NewApt, ProMail trojan, Shtrilitz, 
Stealth, Tapiras, Terminator, WinPC, WinSpy 
31 - Agent 31, Hackers Paradise, Masters Paradise 
41 -— DeepThroat 
48 — DRAT 
50 -— DRAT 
59 -— DMSetup 
79 — Firehotcker 
80 - Back End, Executor, Hooker, RingZero 
99 — Hidden Port 
110 - ProMail trojan 
113 - Invisible Identd Deamon, Kazimas 
11S = Happy. 93 
121 - JammerKillah 
123 - Net Controller 
133 - Farnaz, port 146 - Infector 
146 -— Infector (UDP) 
170 — A-trojan 
421 -— TCP Wrappers 
456 - Hackers Paradise 
531 - Rasmin 
555 - Ini-Killer, NeTAdministrator, Phase Zero, Stealth Spy 
606 —- Secret Service 
666 —- Attack FTP, Back Construction, NokNok, Cain & Abel, Satanz Backdoor, 
ServeU, Shadow Phyre 
667 — SniperNet 
669 — DP Trojan 
692 — GayOL 
777 — Aim Spy 
808 -— WinHole 
911 - Dark Shadow 
999 - DeepThroat, WinSatan 
000 - Der Spacher 3 
001 - Der Spacher 3, Le Guardien, Silencer, WebEx 
010 - Doly Trojan 
011 - Doly Trojan 
012 - Doly Trojan 
015 - Doly Trojan 
016 - Doly Trojan 
020 — Vampire 
024 -— NetSpy 
042 - Bla 
045 — Rasmin 
050 — MiniCommand 
080 -— WinHole 
081 -— WinHole 
082 -— WinHole 
083 -— WinHole 
090 — Xtreme 
095 — RAT 
097 — RAT 
098 — RAT 
099 — BFevolution, RAT 
170 —- Psyber Stream Server, Streaming Audio trojan, Voice 
200 -— NoBackO (UDP) 
201 -— NoBackO (UDP) 
207 -— SoftWAR 
ele = Kaos 
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229. 
234 
243 
245 
259, 
256 
269 
32:3) 
338 
349 
492 
509 
524 
600 
777 
807 
966 
969 
981 
999 
2000 
2001 
2002 
2003 
2004 
2005 
2023 
2080 
2115 
2140 
2155 
2283 
2300 
2565 
2583 
2600 
2716 
2773 
2801 
3000 
3024 
3128 
3129 
3150 
3456 
3459 
3700 
S791 
3801 
4000 
4092 
4242 
4321 
4444 
4567 
4590 
5000 
500 
5010 
501 
503 
503 
932 
5343 
5400 
540 
5402 
5550 
5512 
5555 
5556 








Scarab 

Ultors Trojan 

BackDoor-G, SubSeven, SubSeven Apocalypse, 
VooDoo Doll 

Scarab 

Project nEXT 

Mavericks Matrix 

NETrojan 

Millenium Worm 

BO DLL (UDP) 

FTP 99CMP 

Psyber Streaming Server 

Trinoo 

Shivka-Burka 

Scarab 

SpySender 

Fake FTP 

Opc BO 

Shockrave 

BackDoor, TransScout 

Der Spaeher 3, Insane Network, TransScout 
Der Spaeher 3, TransScout, Trojan Cow 
TransScout 

TransScout 

TransScout 

TransScout 

Ripper 

WinHole 

Bugs 

Deep Throat, The Invasor 
Illusion Mailer 

HVL Rat5 

Xplorer 

Striker 

WinCrash 

Digital RootBeer 

The Prayer 

SubSeven 

Phineas Phucker 

Remote Shutdown 

WinCrash 

RingZero 

Masters Paradise 

Deep Throat, The Invasor 

Teror Trojan 

Eclipse 2000, Sanctuary 

Portal of Doom 

Eclypse 

Eclypse (UDP) 

Skydance 

WinCrash 

Virtual hacking Machine 

BoBo 

Prosiak, Swift remote 

File Nail 

ICQTrojan 

Bubbel, Back Door Setup, Sockets de Troie 
Back Door Setup, Sockets de Troie 
Solo 

One of the Last Trojans (OOTLT) 
NetMetropolitan 

NetMetropolitan 

Firehotcker 

wCrat 

Blade Runner, Back Construction 
Blade Runner, Back Construction 
Blade Runner, Back Construction 
Xtcp 

Illusion Mailer 

ServeMe 

BO Facil 
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5557 -— BO Facil 

5569 > Robo-Hack 

5637 — PC Crasher 

5638 —- PC Crasher 

5742 — WinCrash 

5882 — Y3K RAT (UDP) 

5888 -— Y3K RAT 

6000 - The Thing 

6006 - The Thing 

6272 - Secret Service 

6400 - The Thing 

6667 -— Schedule Agent 

6669 — Host Control, Vampyre 

6670 -— DeepThroat, BackWeb Server, WinNuke eXtreame 
6711 - SubSeven 

6712 -—- Funny Trojan, SubSeven 

6713 - SubSeven 

6723 -— Mstream 

6771 -— DeepThroat 

6776 — 2000 Cracks, BackDoor-G, SubSeven 

6838 — Mstream (UDP) 

6912 - Shit Heep (not port 69123!) 

6939 — Indoctrination 

6969 - GateCrasher, Priority, IRC 3, NetController 
6970 - GateCrasher 

7000 — Remote Grab, Kazimas, SubSeven 

7001 — Freak88 

7215 — SubSeven 

7300 — NetMonitor 

7301 -— NetMonitor 

7306 -— NetMonitor 

7307 — NetMonitor 

7308 — NetMonitor 

7424 — Host Control 

7424 — Host Control (UDP) 

7789 — Back Door Setup, ICKiller 

7983 — Mstream 

8080 -— RingZero 

8787 -— Back Orifice 2000 
8897 -— HackOffice 

8988 -— BacHack 

8989 -— Recon 

9000 - Netministrator 

9325 -— Mstream (UDP) 

9400 -— InCommand 

9872 - Portal of Doom 

9873 - Portal of Doom 

9874 - Portal of Doom 

9875 - Portal of Doom 

9876 -— Cyber Attacker, RUX 
9878 —. TransScout 
9989 - iNi-Killer 
9999 - The Prayer 
0067 - Portal of Doom (UDP) 
0085 - Syphillis 
0086 - Syphillis 
0101 - BrainSpy 
0167 - Portal of Doom (UDP) 
0528 -— Host Control 

0520 - Acid Shivers 

0607 — Coma 
0666 -— Ambush (UDP) 

1000 - Senna Spy 

1050 - Host Control 

L051 — Host Control 

1223 - Progenic trojan, Secret Agent 

2076 — Gjamer 

2223 - Hack’99 KeyLogger 

2345 — GabanBus, My Pics, NetBus, Pie Bill Gates, Whack Job, X-bill 
2346 - GabanBus, NetBus, X-bill 

2349 — BioNet 
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Whack-a-mole 
Whack-a-mole 

DUN Control (UDP) 
Buttman 

WhackJob 

Mstream 

Senna Spy 

Hacker Brazil 
Host Control 
Mstream 
Stacheldracht 
Mosucker 

ICQ Revenge 
Priority 

Mosaic 

Kuang2 The Virus 
Nephron 
Shaft (UDP 
ICQ Revenge 
Millennium 
AcidkoR 
NetBus 2 Pro, NetRex, Whack Job 
Chupacabra 
Bla 
Shaft 
Shaft (UDP) 

GirlFriend, Kidterror, Schwindler, 
Prosiak 

Logged 

Asylum 

Evil FTP, Ugly FTP, Whack Job 
Donald Dick 

Donald Dick (UDP) 

Donald Dick 

Delta Source (UDP) 

Spy Voice 

SubSeven 

Trinoo (UDP) 

SubSeven 

Trinoo 

Host Control 

The Unexplained (UDP) 

TerrOr32 

AOL Trojan 

NetSphere 

Net Sphere 

NetSphere 

NetSphere 

NetSphere (UDP) 

NetSphere 

Sockets de Troie 

Intruse 

Kuang2 

Trinoo (UDP) 

Bo Whack, ButtFunnel 








WinSp0Ofer 


["ELEET" port] - Baron Night, BO client, BO2, Bo Facil 
["ELEET" port] - BackFire, Back Orifice, DeepBO, 


NetSpy DK, ButtFunnel 
Back Orifice, DeepBO (UDP) 


NetSpy DK 
BOWhack 
Hack “a “Tack 
Hack ‘a “Tack 
Hack “a “Tack 

Hack ’a’Tack (UDP) 
Hack ’a’Tack (UDP) 


Hack “a “Tack 

Peanut Brittle, Project nEXT 
Acid Battery 

Blakharaz, Prosiak 

PsychWard 








Freak> 


(UDP) 
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33777 
33911 
34324 
34555 
35555 
37651 
40412 
40421 
40422 
40423 
40426 
41666 
41666 
44444 
47262 
50505 
50766 
51996 
52317 
5300 
54283 
54320 
5432 
5432 
5734 
58339 
60000 
60068 
6041 
61348 
61466 
61603 
63485 
65000 
65432 
65432 
65535 





PsychWard 

Spirit 200la 

BigGluck, IN 

Trinoo (Windows) (UDP) 
Trinoo (Windows) (UDP) 
YAT 

The Spy 

Agent 40421, Masters Paradise 
Masters Paradise 
Masters Paradise 
Masters Paradise 
Remote Boot 

Remote Boot (UDP) 
Prosiak 

Delta Source (UDP) 
Sockets de Troie 

Fore, Schwindler 
Cafeini 

Acid Battery 2000 
Remote Windows Shutdown 
SubSeven 

Back Orifice 2000 
School Bus 

Back Orifice 2000 (UDP) 
NetRaider 

ButtFunnel 

Deep Throat 

Xzip 6000068 
Connection 
Bunker-Hill 
Telecommando 
Bunker-Hill 
Bunker-Hill 

Devil, Stacheldracht 
The Traitor 

The Traitor (UDP) 

RC 
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